Yes, this would be for multiple machines. Also, my understanding is that sssd works with LDAP/AD but not with Radius? I'd like to find something that works with both. Looking for a deployment guide that explains how PAM, NSS, and SSSD all fit together. > On Oct 19, 2023, at 6:03 AM, James Yu Wang <yuwang@xxxxxxxxxx> wrote: > > Hello, > > Since you only care about username, uid, gid, and loginshell (management > CLI), If you only have one appliance, then just use the /etc/passwd file > with pam_unix. If you have multiple appliances, then considering centralized > authentication and authorization like ldap with pam_sss. > > James > > -----Original Message----- > From: Pam-list <pam-list-bounces@xxxxxxxxxx> On Behalf Of Philip Prindeville > Sent: Wednesday, October 18, 2023 1:04 PM > To: pam-list@xxxxxxxxxx > Subject: Best practices for "pure" remote accounts > > Hi, > > I was wondering what the conventional wisdom is in the following scenario... > > I'm working on a downstream distro that uses Debian/Ubuntu bases, and we > allow users to log into an appliance (or "server", if you prefer, but not > really). For now we have to go ahead and create a placekeeper account with > no password for each user for LDAP or Radius authentication to work, but I > saw some articles on stackoverflow and elsewhere talking about "authconfig" > and "nslcd", etc. > > Our requirements are such that having a "seed" user that everyone gets > cloned as is fine, so they can inherit that uid, gid, and (nonexistent) home > directory as they won't be dropping into a shell but into a management CLI > instead. > > We just need to be able to tell them apart by username. > > And we can block access to scp/sftp if needed for that uid/gid so we don't > have to worry about them creating files since they don't have a home > directory of their own. > > How is this typically solved in the most lightweight way possible? > > Thanks, > > -Philip > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://listman.redhat.com/mailman/listinfo/pam-list > > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://listman.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list