ssh local account / ldap account

Poil · 02-24-2010, 09:57 AM

Hi,
Here is my problems :

Today,
- Ldap accounts are allowed to connect on SSH
- Local account are not allowed to connect on SSH
Ldap account is allowed by "/etc/pam/sshd" :

Code:

auth       required     pam_listfile.so item=group sense=allow file=/etc/security/allowed-groups onerr=succeed

I would like to :
- Permit LDAP account to connect on SSH with a publickey or a password
- Permit Local account to connect on SSH with a publickey but deny with password)

They are some options on sshd_config like PubkeyAuthentication and PasswordAuthentication; but these options seem to be for all account.

Is there any way to do this ?
If possible, I don't want to put all my local users in a same "global local group"

Best regards,

never say never · 02-24-2010, 01:55 PM

Only way I can think of to accomplish what you want is to run multiple ssh daemons. That of course means you will have to select a port other than port 22 for one of them.

chrism01 · 02-24-2010, 06:26 PM

If you can separate them into 2 groups, I think the sshd_config Match option http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5 will do the trick.

Poil · 02-25-2010, 04:44 AM

That was exactly what I want, but Match option is in opensshd>=4.4
I'm using RHEL5.4 who have got a 4.3 ...

chrism01 · 02-25-2010, 09:43 PM

You might want to check that; RH backport changes, so the version num doesn't change, but the release num does.

Quote:

Software as Packages
• package-version-release.arch.rpm
• version - upstream developer version
• release - packager modifies (fixes/backports documented in “changelog”)
• arch - processor architecture of binaries

Poil · 02-26-2010, 01:04 AM

This functionnality isn't backported

https://bugzilla.redhat.com/show_bug.cgi?id=529918