(the following refers to OpenSSH's sshd and may or may not apply to
other implementations.)
Stanislav Sedov wrote:
It seems that SSH can't fetch keys using PAM or LDAP.
For the vanilla distribution that's true. As others have mentioned,
there's patches to do this.
Furthermore,
SSHd don't use PAM in case if user is authentificating using
public keys.
That's not correct. Even if you're authenticating via public-key, as
long as UsePAM is enabled in sshd_config then pam_acct_mgmt(),
pam_setcred and pam_open_session() are still used.
You must patch SSHd to fetch keys from LDAP, or write PAM module
that will communicate with ssh client and verify keys manually.
Probably, this can't be achived, because you must initiate
key exchange procedure with client.
There's no mechanism for communicating public key information between a
PAM app and PAM modules (at least, none that I'm aware of, and if there
is one I would be interested in hearing about it).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
