Where are the accounts stored? PAM allows you to stack modules. For example, you can use pam_krb5 to auth off AD and pam_radius to auth off radius. You stack them in the 'auth' section in pam.d config file. You use NSS to get users' uid, gid, homedir, etc information. Nslcd and sssd can do that. You put pam_ldap or pam_sss in the 'account' section in pam.d config file and append 'ldap' or 'sss' in the 'passwd' and 'shadow' lines in /etc/nsswitch.conf. -----Original Message----- From: Pam-list <pam-list-bounces@xxxxxxxxxx> On Behalf Of Philip Prindeville Sent: Friday, October 20, 2023 3:09 PM To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx> Subject: Re: Best practices for "pure" remote accounts Yes, this would be for multiple machines. Also, my understanding is that sssd works with LDAP/AD but not with Radius? I'd like to find something that works with both. Looking for a deployment guide that explains how PAM, NSS, and SSSD all fit together. > On Oct 19, 2023, at 6:03 AM, James Yu Wang <yuwang@xxxxxxxxxx> wrote: > > Hello, > > Since you only care about username, uid, gid, and loginshell > (management CLI), If you only have one appliance, then just use the > /etc/passwd file with pam_unix. If you have multiple appliances, then > considering centralized authentication and authorization like ldap with pam_sss. > > James > > -----Original Message----- > From: Pam-list <pam-list-bounces@xxxxxxxxxx> On Behalf Of Philip > Prindeville > Sent: Wednesday, October 18, 2023 1:04 PM > To: pam-list@xxxxxxxxxx > Subject: Best practices for "pure" remote accounts > > Hi, > > I was wondering what the conventional wisdom is in the following scenario... > > I'm working on a downstream distro that uses Debian/Ubuntu bases, and > we allow users to log into an appliance (or "server", if you prefer, > but not really). For now we have to go ahead and create a placekeeper > account with no password for each user for LDAP or Radius > authentication to work, but I saw some articles on stackoverflow and elsewhere talking about "authconfig" > and "nslcd", etc. > > Our requirements are such that having a "seed" user that everyone gets > cloned as is fine, so they can inherit that uid, gid, and > (nonexistent) home directory as they won't be dropping into a shell > but into a management CLI instead. > > We just need to be able to tell them apart by username. > > And we can block access to scp/sftp if needed for that uid/gid so we > don't have to worry about them creating files since they don't have a > home directory of their own. > > How is this typically solved in the most lightweight way possible? > > Thanks, > > -Philip > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://listman.redhat.com/mailman/listinfo/pam-list > > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://listman.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
