Glenn Faden wrote: > Jan Parcel wrote: >>> I don't understand the advantage of diff vs. -newer. The latter is >>> simpler so why not use it? My suggested workaround also deals with the >>> case where the copy doesn't exist yet. >>> >> diff would correct a bad copy that is more recent than the original >> >> >>> As you've noted, the /etc/shadow file in the labeled zones is not used >>> by the desktop software. Just for remote login, e.g. ssh. So, while not >>> a perfect workaround, it is likely to satisfy the customer. Ultimately >>> the customer should be using ldap to keep passwords in sync. >>> >> Does ldap work with ssh?
Yes of course it does, but it also depends on what it is you want to do with LDAP and SSH. I assume you mean just authenticate using username and password. SSH has many different ways to authenticate users (and hosts) two of which use a username and password (SSH userauth methods password and keyboard-interactive). In both of those cases sshd just calls standard libc/libnsl nameservice calls and standard libpam calls to authenticate the user and setup the session. Nothing different to what login does for telnet or rlogin really (it does it in a cleaner way but that is mostly coding history reasons). It doesn't matter if we are using LDAP as a nameservice and doing pam_unix_auth or if we are using LDAP as an account authority and using pam_ldap sshd will authenticate correctly. However you MUST read and properly configure sshd for PAM as documented in the sshd(1M) man page don't guess at what its PAM service name is because you *will* get it wrong. > It should, but I can't confirm that. This is really a PAM configuration > issue since sshd isn't supposed to anything different in this case of > ldap authentication. It isn't PAM but PAM and the Namservice Switch. If there are issues with LDAP and sshd when doing password or keyboard-interactive authenticate then that is a bug. Depending on the LDAP configuration for authentication there could be issues with the SSH pubkey userauth method. sshd also supports GSSAPI for user (and host) authentication and can be configured to pass on the Kerberos creds so that if LDAP requires Kerberos creds for self credentialed lookups that works too. -- Darren J Moffat
