I am very new to PAM, so maybe what I am about to ask is trivial; please bear with me. I understand how to configure PAM in my Linux system so that whenever a user attempts to log in from a given application, the authentication will be delegated to a relevant server. I have two questions: 1) Imagine a user trying to log into my system via SSH. When authentication is local, that user can resort to public key authentication, so that no password will have to be supplied. Based on what I know about PAM, public key authentication will not be available in general when using an external authentication mechanism - I don't think that e.g. RADIUS or LDAP servers support that. So my assumption is that once PAM is configured for, say, RADIUS authentication for SSH, public key authentication authentication will not be available for SSH users any more. Is this correct? 2) When doing authentication with an LDAP or RADIUS server through PAM, is it possible to configure PAM so that the information concerning the groups that the user belongs to is obtained from the server, rather than locally? Both LDAP and RADIUS servers can easily convey that information at the same time as the carry out a successful authentication, but it is not clear to me if PAM provides any mechanism to make use of it. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list