Re: nssov overlay and hostservice

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday, 5 February 2010 03:26:36 ben thielsen wrote:

> pam config for sshd:
> >egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
> 
> auth		required			pam_env.so # [1]
> auth		required			pam_env.so envfile=/etc/default/locale
> auth		[success=2 default=ignore]      pam_unix.so nullok_secure
> auth		[success=1 default=ignore]      pam_ldap.so use_first_pass
> auth		requisite                       pam_deny.so
> auth		required                        pam_permit.so
> account		required			pam_nologin.so
> account		[success=2 new_authtok_reqd=done default=ignore] pam_unix.so

The above line will succeed for any user that can be enumerated via getpwent 
(e.g. by 'getent passwd username'), which will most likely include all your 
LDAP users. You should use something that will succeed for "local" users but 
not LDAP users, such as pam_localuser.so (if available on your platform).

> account		[success=1 default=ignore]      pam_ldap.so
> account		requisite                       pam_deny.so
> account		required                        pam_permit.so
> session		[default=1]                     pam_permit.so
> session		requisite                       pam_deny.so
> session		required                        pam_permit.so
> session		required                        pam_unix.so
> session		optional                        pam_ldap.so no_warn
> session		optional			pam_motd.so # [1]
> session		optional			pam_mail.so standard noenv # [1]
> session		required			pam_limits.so
> password        required                        pam_passwdqc.so
>  min=disabled,16,12,7,6 max=256 password        [success=2 default=ignore] 
>      pam_unix.so obscure md5 password        [success=1 user_unknown=ignore
>  default=die]     pam_ldap.so use_authtok try_first_pass password       
>  requisite                       pam_deny.so
> password        required                        pam_permit.so


Regards,
Buchan