Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-06-2009, 11:48 AM   #1
LQ Newbie
Registered: Oct 2009
Posts: 3

Rep: Reputation: 0
Question pam_ssh searching private key on a LDAP server

Hello everybody,

First of all, sorry if this was not the proper forum to ask this question (I hesitated among this and the "networking" one) or if it has been answered somewhere, but I really couldn't find it.

I'm testing the pam_ssh module in order to have a single sign on behavior in my network, but even that isn't working perfectly: the users logs in with his private key passphrase, but the ssh-agent apparently doesn't load at this moment, since at the first attempt to do a ssh the passphrase is asked again - from this point on, it's not asked anymore during this session.

Couldn't it be loaded at the login to the workstation?

Anyway, what I really would like to do was to make this single sign on integrated with LDAP. The user, registered on LDAP and maybe with no homedir on the workstation yet (therefore, no private key), would type his LDAP password and the system would not only authenticate him, but also download the private key from the LDAP server and instantiate the ssh-agent so he never has to type his password again during this session - this is important because we would like to have some scripts opening ssh sessions without prompting the user for his password again (and also because single sign on is quite nice too )

I haven't found any tutorial explaining how I could integrate pam_ssh with ldap. Am I really the first person wanting to do such a thing?

For information, all stations (clients and servers) run Ubuntu 9.04.

Thank you!
Old 10-06-2009, 01:37 PM   #2
Senior Member
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 83
Hi there,

Single Sign On is definitely one of those magnificent holy grail type things that we have alot of trouble implementing. Conventional wisdom in the Windows world points to Active Directory integration of applications, theoretically including something like ssh. As you probably know, AD implements a Kerberos key distribution center, and it is thought this is the way to go in linux also. LDAP can be used as a backend to the KDC, though it must be said, there is no current standalone implementation of LDAP and Kerberos that suits what you are looking for.

This article describes a SSO solution for ubuntu:, but it requires some careful planning to get right!

Last edited by irishbitte; 10-06-2009 at 01:51 PM.
Old 10-06-2009, 08:16 PM   #3
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,396

Rep: Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395
LDAP and ssh are 2 separate things, and each has its own pam module:

For a secure centralized login, try LDAP+TLS


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH with passwordless public/private key not working on another account on server infocom Linux - Server 14 12-27-2010 05:09 AM
Can't use private key for ssh t0ken407 Linux - Server 9 05-31-2009 02:50 PM
Public key, private key explained calande Linux - Security 3 06-12-2008 05:23 AM
if they got my gpg private key...... qwijibow Linux - Security 1 10-21-2003 12:22 AM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:40 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration