Centralized Authentication
I would like some people's thoughts on setting up a centralized authentication / authorization for a large number of servers. So far I have been toying with user accounts and user ssh keys in ldap using pam_ldap and openssh with ldap_sshkey patch. This works pretty well so far. I have also setup Sudo to use centralized ldap rules and again this works although my Sudo rules need to be tightened up (any suggestions, pointers etc willingly accepted).
Here is the tricky part. All of our machines are RHEL-2.1/3/4 and with RHEL4 I noticed that it comes with pam_ccreds and nss_updatedb. So what I would like to do is set up connectionless authentication.
I have a cron to run nss_updatedb every hour storing user and group information to a berkelydb hash in /var/db - This works. I also have a cron job to interrogate ldap to pull down all user's ssh keys and store them locally every hour. I also setup nsswitch.conf to use ldap files db
My problem is my /etc/pam.d/system_auth - I can disconnect from LDAP, ssh will use the local ssh keys, but pam will deny the login. There does not seem to be a lot of documentation on pam_ccreds and I was wondering if anyone here has thoughts/tips ...
Many thanks.
|