Re: [389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/21/2010 08:53 AM, Gordon Messmer wrote:
> There are a number of pam_... options available in /etc/ldap.conf, but
> I'm not sure if those are used when doing ssh logins with keys.  That's
> probably worth checking out if you use nss_ldap.  There are probably
> similar options for nss_sss, but I haven't looked at that yet either. :)

I played around with some options after setting the following in 
/etc/ldap.conf:
pam_filter !(nsRoleDN=cn=nsmanageddisabledrole,dc=...)

The syntax is correct, and it works for password authentication (such as 
"su").  However, even after setting all of the ldap modules in PAM to 
"required", I'm still able to log in with a key.  The documentation for 
PAM in the sshd configuration file leads me to believe that this cannot 
be made to work.  If you allow key based logins, you cannot lock 
accounts out using PAM+LDAP.  That means that if you want to lock out a 
user, you must completely invalidate their account.  The big drawback 
would be that a user who mistypes their password too many times will 
probably stop receiving email (assuming you've tied your email system to 
LDAP).

I believe you can do that in /etc/ldap.conf:
nss_base_passwd ou=People..?sub?!(nsRoleDN=...)

>> I still don't understand pam as well as I should but it would make
>> sense to me for PAM to "check" LDAP before checking ssh...

Remember that OpenSSH is maintained by the OpenBSD developers, where 
there is no PAM.  PAM support is added by the Portable OpenSSH group. 
Support for PAM is probably imperfect.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux