RE: ssh public key auth using pam_ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
RE: ssh public key auth using pam_ldap
- From: "Dana, Jason T." <Jason.Dana [at] jhuapl.edu>
- To: Norman Gray <gray [at] nxg.name>
- Cc: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: RE: ssh public key auth using pam_ldap
- Date: Tue, 28 Apr 2020 16:58:22 +0000
On 4/28/20, 12:38 PM, "Norman Gray" wrote:
Jason, hello.
On 28 Apr 2020, at 17:30, Dana, Jason T. wrote:
> I am trying to configure pam and/or nslcd to query an AD/LDAP server
> when a user accesses a system via SSH using public key authentication.
>
> I have successfully configured nslcd to query the AD/LDAP server and
> filter on a specific group. Unfortunately it does not appear to apply
> if the user is accessing the system using public key authentication. I
> have attempted a number of different sshd pam configuration changes
> and have added a pam_authz_search entry to nslcd.conf, but
> unfortunately none appear to be getting used.
The way I've set this up is by storing the public key in the LDAP
database, and using the sshd_config AuthorizedKeysCommand to do a lookup
by username. That ignores any key in ~/.ssh/authorized_keys.
Is that what you're aiming for? I can add further details if so.
Note that that doesn't involve PAM at all (IIRC) -- it's the ssh daemon
that does the lookup and checks the key.
Thank you for the reply Norman!
I have been looking into this option as well, but so far it is not looking like
my company will support adding public keys to the user's AD accounts.
Jason
