Preventing ssh keys from granting a user access when LDAP account is disabled.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>________________________________________
>From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Gordon Messmer [yinyang at eburg.com]
>Sent: 22 July 2010 04:17
>To: General discussion list for the 389 Directory server project.
>Subject: Re: Preventing ssh keys from granting a user access when LDAP account is disabled.
>
>On 07/21/2010 08:53 AM, Gordon Messmer wrote:
>> There are a number of pam_... options available in /etc/ldap.conf, but
>> I'm not sure if those are used when doing ssh logins with keys.  That's
>> probably worth checking out if you use nss_ldap.  There are probably
>> similar options for nss_sss, but I haven't looked at that yet either. :)
>
>I played around with some options after setting the following in
>/etc/ldap.conf:
>pam_filter !(nsRoleDN=cn=nsmanageddisabledrole,dc=...)
>
>The syntax is correct, and it works for password authentication (such as
>"su").  However, even after setting all of the ldap modules in PAM to
>"required", I'm still able to log in with a key.  The documentation for
>PAM in the sshd configuration file leads me to believe that this cannot
>be made to work.  If you allow key based logins, you cannot lock
>accounts out using PAM+LDAP.  That means that if you want to lock out a
>user, you must completely invalidate their account.  The big drawback
>would be that a user who mistypes their password too many times will
>probably stop receiving email (assuming you've tied your email system to
>LDAP).

Well that is usefull to know at least. I have'nt played around with pam_filter yet but may be able to utilize it for something else.

>
>I believe you can do that in /etc/ldap.conf:
>nss_base_passwd ou=People..?sub?!(nsRoleDN=...)
>
>>> I still don't understand pam as well as I should but it would make
>>> sense to me for PAM to "check" LDAP before checking ssh...
>
>Remember that OpenSSH is maintained by the OpenBSD developers, where
>there is no PAM.  PAM support is added by the Portable OpenSSH group.
>Support for PAM is probably imperfect.

It is unfortunate. It would be nice if you could do a logical AND in PAM to utilize two sources of authentication. My understanding was that PAM is the bastion for all authentication and that nothing happens without its say so.

Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux