Re: Best practices for "pure" remote accounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, this would be for multiple machines.

Also, my understanding is that sssd works with LDAP/AD but not with Radius?

I'd like to find something that works with both.

Looking for a deployment guide that explains how PAM, NSS, and SSSD all fit together.




> On Oct 19, 2023, at 6:03 AM, James Yu Wang <yuwang@xxxxxxxxxx> wrote:
> 
> Hello,
> 
> Since you only care about username, uid, gid, and loginshell (management
> CLI), If you only have one appliance, then just use the /etc/passwd file
> with pam_unix. If you have multiple appliances, then considering centralized
> authentication and authorization like ldap with pam_sss.
> 
> James
> 
> -----Original Message-----
> From: Pam-list <pam-list-bounces@xxxxxxxxxx> On Behalf Of Philip Prindeville
> Sent: Wednesday, October 18, 2023 1:04 PM
> To: pam-list@xxxxxxxxxx
> Subject: Best practices for "pure" remote accounts
> 
> Hi,
> 
> I was wondering what the conventional wisdom is in the following scenario...
> 
> I'm working on a downstream distro that uses Debian/Ubuntu bases, and we
> allow users to log into an appliance (or "server", if you prefer, but not
> really).  For now we have to go ahead and create a placekeeper account with
> no password for each user for LDAP or Radius authentication to work, but I
> saw some articles on stackoverflow and elsewhere talking about "authconfig"
> and "nslcd", etc.
> 
> Our requirements are such that having a "seed" user that everyone gets
> cloned as is fine, so they can inherit that uid, gid, and (nonexistent) home
> directory as they won't be dropping into a shell but into a management CLI
> instead.
> 
> We just need to be able to tell them apart by username.
> 
> And we can block access to scp/sftp if needed for that uid/gid so we don't
> have to worry about them creating files since they don't have a home
> directory of their own.
> 
> How is this typically solved in the most lightweight way possible?
> 
> Thanks,
> 
> -Philip
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://listman.redhat.com/mailman/listinfo/pam-list
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://listman.redhat.com/mailman/listinfo/pam-list
> 

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/pam-list




[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux