[tech] manbo, ldap, stuff
James Andrewartha
trs80 at ucc.gu.uwa.edu.au
Tue Feb 20 21:55:24 WST 2007
On Tue, 20 Feb 2007, Matt Johnston wrote:
> Personally I think pubkey auth is more useful than easily changed
> passwords from everywhere.
And now we can have both! The solution to SSH public-key authentication,
Solaris' libpam_ldap.so and OpenLDAP? Throw away libpam_ldap.so! Since
public-key auth doesn't need a password authenticated by some module, the
following in /etc/pam.conf works just fine:
sshd-pubkey account requisite pam_roles.so.1
sshd-pubkey account required pam_unix_account.so.1
NSS still goes through LDAP, so the account still exists and everything
just works (tm). The solution came to me when looking at
http://www.semicomplete.com/blog/geekery/solaris-10-sshd-publickey-solution.html
which showed it was almost (sshd-pubkey not ssh-pubkey) specified in
http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0
So goodbye Sun Directory Server, you were useful for setting up the
directory, but you just don't cut it feature wise.
--
# TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best |
[ "There's nobody getting rich writing ]| -- Collect and hide your |
[ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 /
More information about the tech
mailing list