On Friday, 5 February 2010 03:26:36 ben thielsen wrote: > pam config for sshd: > >egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd > > auth required pam_env.so # [1] > auth required pam_env.so > envfile=/etc/default/locale > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_ldap.so use_first_pass > auth requisite pam_deny.so > auth required pam_permit.so > account required pam_nologin.so > account [success=2 new_authtok_reqd=done default=ignore] > pam_unix.so
The above line will succeed for any user that can be enumerated via getpwent (e.g. by 'getent passwd username'), which will most likely include all your LDAP users. You should use something that will succeed for "local" users but not LDAP users, such as pam_localuser.so (if available on your platform). > account [success=1 default=ignore] pam_ldap.so > account requisite pam_deny.so > account required pam_permit.so > session [default=1] pam_permit.so > session requisite pam_deny.so > session required pam_permit.so > session required pam_unix.so > session optional pam_ldap.so no_warn > session optional pam_motd.so # [1] > session optional pam_mail.so standard > noenv # [1] > session required pam_limits.so > password required pam_passwdqc.so > min=disabled,16,12,7,6 max=256 password [success=2 default=ignore] > pam_unix.so obscure md5 password [success=1 user_unknown=ignore > default=die] pam_ldap.so use_authtok try_first_pass password > requisite pam_deny.so > password required pam_permit.so Regards, Buchan
