lists.arthurdejong.org
RSS feed

RE: ssh public key auth using pam_ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

RE: ssh public key auth using pam_ldap



On 4/28/20, 12:38 PM, "Norman Gray" wrote:
    
    Jason, hello.
    
    On 28 Apr 2020, at 17:30, Dana, Jason T. wrote:
    
    > I am trying to configure pam and/or nslcd to query an AD/LDAP server 
    > when a user accesses a system via SSH using public key authentication.
    >
    > I have successfully configured nslcd to query the AD/LDAP server and 
    > filter on a specific group. Unfortunately it does not appear to apply 
    > if the user is accessing the system using public key authentication. I 
    > have attempted a number of different sshd pam configuration changes 
    > and have added a pam_authz_search entry to nslcd.conf, but 
    > unfortunately none appear to be getting used.
    
    The way I've set this up is by storing the public key in the LDAP 
    database, and using the sshd_config AuthorizedKeysCommand to do a lookup 
    by username.  That ignores any key in ~/.ssh/authorized_keys.
    
    Is that what you're aiming for?  I can add further details if so.
    
    Note that that doesn't involve PAM at all (IIRC) -- it's the ssh daemon 
    that does the lookup and checks the key.

Thank you for the reply Norman!

I have been looking into this option as well, but so far it is not looking like 
my company will support adding public keys to the user's AD accounts.

Jason