On Wed, 5 Mar 2008, Edwin Goei wrote:
>>> there is a "ssh-pubkey" service name but I'm not sure what this is
>>> for. My list of user/login accounts are in a database and I need some
>>> way of hooking that into sshd. Any ideas?
>>
>> It's so you can have different account authorization policies for
>> different SSH userauth methods.
>
> I'm not sure I follow. I thought PAM was used for authentication and that
> authorization was done afterwards, outside PAM. Could you provide a more
> concrete example?
what was meant was that you can have a different PAM stack for
different SSH auth methods. However, one must bear in mind that not all SSH
auth methods call pam_authenticate(3PAM). For example, for public key auth,
the authentication is done outside of PAM, meaning that ssh server checks
the public key received from the client against the authorized_keys
database, and PAM is used for account, session and password management.
see sshd(1m) for details.
> Since home directory lookup is baked into sshd, the getpwnam(3) API would be
> configured via nsswitch.conf to handle the list of user logins. Any ideas on
> what backend such as LDAP or files to use? The ssh/SCM host would periodically
> poll for new committer accounts and create home directories for them and
what is "ssh/SCM host"?
> .ssh/authorized_keys. Does this approach sound right?
J.
--
Jan Pechanec
