On Tue, 27 Jan 2009, Jesse C. Waters wrote:
Richard Ray wrote:
I have configured pam to authenticate ssh via ldap
No problems with that
How can I configure pam/ssh to use ldap for certain accounts only and unix
password for other accounts
Running CentOS 5.2
Thanks
Richard Ray
that is controlled with your /etc/nsswitch.conf
passwd files ldap
group files ldap
check if user exists in /etc/passwd 1st, then ldap
so if you have a local account joe and an ldap account joe, it should use
local account 1st. if you flip it around passwd ldap files then vs.
to restrict certain ldap groups to logging in you need add "pam_groupdn" to
your ldap.conf file.
All these relate to pam & ldap configurations, I am not a pam expert. Test
your configs, make sure you didn't allow anyone into your system as root
without a passwd. (did that once, glad it was a vm).
I am no pam expert but this is what I came up with
Create a local group ldap_users
Add users to ldap_users that will authenticate via ldap
This is my /etc/pam.d/sshd
auth required pam_nologin.so
auth required pam_localuser.so
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_succeed_if.so debug user ingroup ldap_users
auth sufficient /lib/security/pam_ldap.so
auth required pam_deny.so
account required pam_nologin.so
account sufficient /lib/security/pam_ldap.so
account include system-auth
password sufficient /lib/security/pam_ldap.so
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
It works for me
I would appreciate a bit of scrutiny
Richard
HTH,
Jesse Waters
