/etc/pam.d/ has several files and running auth-config updates many of those. I need to know exactly which file needs to be updated to support LDAP based login using SSH / Console.
Asked
Active
Viewed 349 times
1 Answers
3
Typically there will be a file under /etc/pam.d/ called sshd, but it usually only contains a few lines similar to this:
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
These are references to the other files in the /etc/pam.d/ directory that contain the PAM directives common to all security functions on your machine. If you want LDAP authentication for SSH only, you would change the sshd file itself. If you are trying to setup LDAP authentication for the entire system (i.e. local login as well as SSH), you will need to edit the common PAM files for all logins.
A typical sshd configuration file for LDAP auth would look something like this:
auth files ldap
account files ldap
password files ldap
session files ldap
However, this assumes you aren't using SSSD and only want LDAP authentication for SSHD and no other services. This configuration allows local logins on the target server to work in the event LDAP authentication fails for whatever reason. You may or may not want that behavior. Be aware also that depending on how your LDAP server is configured, this may result in user logins being sent in cleartext over the network.
Here is a comprehensive setup guide for LDAP authentication on CentOS, but it is geared towards using LDAP for both local logins as well as services (including SSH).
Josh Benson
- 351
- 1
- 5
-
Uh, `files ldap` is something you would use in `nsswitch.conf` not a pam config file. – MikeA Oct 04 '16 at 23:33