PAM-modules Manual (split by node):   Section:   Chapter:FastBack: ldaphome   Up: ldaphome example   FastForward: umotd   Contents: Table of ContentsIndex: Concept Index

7.2.1 Openssh versions prior to 6.2p1

The user public keys are kept in ‘grayPublicKey’ attribute of his LDAP entry. When a user logs in for the first time, his home directory does not exist yet and consequently sshd is not able to verify his key. Therefore it falls back to the interactive authentication (it is supposed, of course, that ‘UsePAM’ is set to ‘yes’ in the sshd configuration file). The authentication stage is supposed to create user home directory, populate his .ssh/authorized_keys with his public keys and present user with a descriptive text prompting him to cancel his current authentication attempt and retry it again. The corresponding pam.conf section looks as follows:

pam.conf

sshd auth [success=ok try_again=1 default=die] \
    pam_ldaphome.so 
sshd auth [success=done ignore=ignore default=die] \
    pam_unix.so
sshd auth [default=die]  pam_echo.so file=/etc/ldaphome.txt

The first line does most of the job. If pam_ldaphome.so succeeds in creating the user directory it will return ‘try_again’. This will cause skipping the next stack entry, so control will go to pam_echo.so, which will print a descriptive text from /etc/ldaphome.txt and exit indicating authentication failure.

The pam_ldaphome.so module returns ‘success’ if the user who is trying to log in should not be handled by it (e.g. because his UID is less than the ‘min-uid’ setting, etc.). In this case, authentication will be handled by pam_unix.so. This allows normal system accounts to function as usual. This is very important, because it will allow to access the machine even when the LDAP database is not available for some reason.

pam_ldaphome.conf

The pam_ldaphome.so configuration handles users with uids and gids greater than or equal to 1000 and pertaining to the group ‘remote’. User home dirs are populated from the /etc/skel directory. 

min-uid 1000
min-gid 1000
allow-groups remote 
skel /etc/skel
base dc=gnu,dc=org,dc=ua
filter (&(objectClass=posixAccount)(uid=$user))
pubkey-attr grayPublicKey

Schema

The LDAP schema should include an attribute to keep the user public keys. The author uses the following schema: 

# depends upon:
#    nis.schema

# Attribute Definitions
attributetype ( 1.3.6.1.4.1.9163.2.1.0 NAME 'grayPublicKey'
    DESC 'SSH public key'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# Object Class Definitions
objectclass ( 1.3.6.1.4.1.9163.2.2.0 NAME 'grayAccount'
    DESC 'Abstraction of an employee account'
    SUP posixAccount AUXILIARY
    MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
    MAY ( userPassword $ loginShell $ gecos $ grayPublicKey ) )

/etc/nsswitch.conf

The ‘passwd’ and ‘group’ entries in /etc/nsswitch.conf file should be as follows: 

passwd:         files ldap
group:          files ldap

PAM-modules Manual (split by node):   Section:   Chapter:FastBack: ldaphome   Up: ldaphome example   FastForward: umotd   Contents: Table of ContentsIndex: Concept Index

This document was generated on August 11, 2021 using makeinfo.

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.