Re: Group information and PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Let me start of with mentioning that PAM uses modules and with those modules you can create an authentication stack where each module is "tried" after the other. This way you can create a stack that does:
check LDAP credentials
check RADIUS credentials
check local credentials
deny access

All this can be done for authentication checking and session checking (group information) depending on the different stacks you write and the settings in /etc/nsswitch.conf

I hope this answers your questions about the ordering. To answer your question about SSH keys, that depends on the schema's in your LDAP server and the version of sshd you are using. I have written a little document that might help you out:
and while at it the following might help to understand a bit more about how you could use PAM modules with LDAP:


Dennis Leeuw

On 05/05/2015 10:47 PM, JCA wrote:
    I am very new to PAM, so maybe what I am about to ask is trivial;
please bear with me.

    I understand how to configure PAM in my Linux system so that
whenever a user attempts to log in from a given application, the
authentication will be delegated to a relevant server. I have two

   1) Imagine a user trying to log into my system via SSH. When
authentication is local, that user can resort to public key
authentication, so that no password will have to be supplied. Based on
what I know about PAM, public key authentication will not be available
in general when using an external authentication mechanism - I don't
think that e.g. RADIUS or LDAP servers support that. So my assumption
is that once PAM is configured for, say, RADIUS authentication for
SSH, public key authentication authentication will not be available
for SSH users any more. Is this correct?

    2) When doing authentication with an LDAP or RADIUS server through
PAM, is it possible to configure PAM so that the information
concerning the groups that the user belongs to is obtained from the
server, rather than locally? Both LDAP and RADIUS servers can easily
convey that information at the same time as the carry out a successful
authentication, but it is not clear to me if PAM provides any
mechanism to make use of it.

Pam-list mailing list

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux