Re: ssh public key auth using pam_ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: ssh public key auth using pam_ldap
- From: "Trent W. Buck" <twb-nss-pam-ldapd-users [at] cyber.com.au>
- To: "Dana, Jason T." <Jason.Dana [at] jhuapl.edu>
- Cc: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: ssh public key auth using pam_ldap
- Date: Wed, 29 Apr 2020 11:52:35 +1000
Dana, Jason T. wrote:
> I am trying to configure pam and/or nslcd to query an AD/LDAP server when a
> user accesses a system via SSH using public key authentication.
>
> I have successfully configured nslcd to query the AD/LDAP server and filter
> on a specific group. Unfortunately it does not appear to apply if the user is
> accessing the system using public key authentication. I have attempted a
> number of different sshd pam configuration changes and have added a
> pam_authz_search entry to nslcd.conf, but unfortunately none appear to be
> getting used.
>
> Is this even possible or am I going down the wrong route?
>
> Any help would be greatly appreciated! Thank you!
It's not clear to me WHY you want sshd to issue an LDAP query.
Usually that is a means to an end, not an end in itself.
Is this so there is an audit trail in the log of LDAP queries?
Do you want the OpenSSH server to require multi-factor authentication --
that is, the user has to use BOTH their id_ed25519 AND their login password?
AuthenticationMethods publickey,password publickey,keyboard-interactive
https://man.openbsd.org/sshd_config#AuthenticationMethods
IIRC dropbear and tinysshd do not support PAM whatsoever, but
should still use nss when built against glibc.