>________________________________________ >From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Gordon Messmer [yinyang at eburg.com] >Sent: 22 July 2010 04:17 >To: General discussion list for the 389 Directory server project. >Subject: Re: Preventing ssh keys from granting a user access when LDAP account is disabled. > >On 07/21/2010 08:53 AM, Gordon Messmer wrote: >> There are a number of pam_... options available in /etc/ldap.conf, but >> I'm not sure if those are used when doing ssh logins with keys. That's >> probably worth checking out if you use nss_ldap. There are probably >> similar options for nss_sss, but I haven't looked at that yet either. :) > >I played around with some options after setting the following in >/etc/ldap.conf: >pam_filter !(nsRoleDN=cn=nsmanageddisabledrole,dc=...) > >The syntax is correct, and it works for password authentication (such as >"su"). However, even after setting all of the ldap modules in PAM to >"required", I'm still able to log in with a key. The documentation for >PAM in the sshd configuration file leads me to believe that this cannot >be made to work. If you allow key based logins, you cannot lock >accounts out using PAM+LDAP. That means that if you want to lock out a >user, you must completely invalidate their account. The big drawback >would be that a user who mistypes their password too many times will >probably stop receiving email (assuming you've tied your email system to >LDAP). Well that is usefull to know at least. I have'nt played around with pam_filter yet but may be able to utilize it for something else. > >I believe you can do that in /etc/ldap.conf: >nss_base_passwd ou=People..?sub?!(nsRoleDN=...) > >>> I still don't understand pam as well as I should but it would make >>> sense to me for PAM to "check" LDAP before checking ssh... > >Remember that OpenSSH is maintained by the OpenBSD developers, where >there is no PAM. PAM support is added by the Portable OpenSSH group. >Support for PAM is probably imperfect. It is unfortunate. It would be nice if you could do a logical AND in PAM to utilize two sources of authentication. My understanding was that PAM is the bastion for all authentication and that nothing happens without its say so. Regards ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________