Friday, November 6, 2009

6.6 OpenSSH, PAM, and NSS



[ Team LiB ]










6.6 OpenSSH, PAM, and NSS



Once the pam_ldap and nss_ldap shared libraries have been installed
and /etc/ldap.conf has been configured, you can
configure individual services to use the new PAM module.
We'll start with the SSH daemon,
sshd. Here's how to set up
OpenSSH (http://www.openssh.com/)
on a Linux system, which uses a separate PAM configuration file per
service. (Note that other systems may use a single PAM file for all
services; for example, Solaris uses
/etc/pam.conf.) Make sure that PAM is enabled
when you compile the sshd daemon; otherwise, you
will be wasting your time.



The following
/etc/pam.d/sshd configuration file defines
the pam_ldap library to be used for authentication
(auth) and account management
(account). The account management library checks
for password aging according to the attribute types defined for the
shadowAccount object class and verifies any
host-based access rules (covered in the next section). The
session module type is ignored by the pam_ldap
library. While user password changes are supported by the pam_ldap
library, these are not relevent to this example.



## /etc/pam.d/sshd
## PAM configuration file for OpenSSH server
auth      required     /lib/security/pam_nologin.so
auth      sufficient   /lib/security/pam_ldap.so
auth      required     /lib/security/pam_unix.so shadow nullok use_first_pass
      
account   sufficient   /lib/security/pam_ldap.so
account   required     /lib/security/pam_unix.so
      
password  required     /lib/security/pam_cracklib.so
password  required     /lib/security/pam_unix.so nullok use_authtok  shadow
      
session   required     /lib/security/pam_unix.so
session   optional     /lib/security/pam_console.so


The use of the sufficient control flag for the
auth and account service types
indicates that authentication by this module alone is enough to
return success to the invoking application. The
use_first_pass argument is necessary so that the
user is not prompted for an additional password if authentication
falls through to the pam_unix.so library.



You will have to create a similar configuration file for every other
service for which you want to control access.



While configuring sshd to use PAM for authentication
requires some configuration, nothing needs to be done to make
sshd use the nss_ldap library. The retrieval of
information from the various databases listed in
/etc/nsswitch.conf is handled by the
system's standard C library; once
you've set up nsswitch.conf,
you're done. The client application only needs to
call the basic get . . . ( ) function, such as
getpwnam( ), to obtain the available information.








    [ Team LiB ]



    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)