LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-20-2011, 11:26 AM   #1
grayFalcon
Member
 
Registered: Jan 2003
Distribution: Debian
Posts: 69

Rep: Reputation: 15
Active Directory authentication for ssh without "net ads join" (just with search acc)


Hello everybody,

I'm trying to get ssh authentication over AD. The problem is that I don't have a manager account for the AD, I just have an account which is allowed to search the directory (I am successfully using this setup to authenticate users against the AD through apache and a ROR webapp). The problem is that all guides I have been able to find use pam_ldap and require a "net ads join" at some point for which I would need a manager account. But there must be some way to get ssh authentication against AD using just a search account, right? I'd be really thankful for any pointers as to how this is done...

Thanks a lot in advance!
 
Old 05-21-2011, 07:49 AM   #2
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 269

Rep: Reputation: 54
Technically speaking I think most of the docs for doing this actually use LDAP for the user search and Kerberos for the actual authentication, much the same as Windows does. In order for Kerberos to work you will need to have the PC joined to the domain in order to get the proper trust relationships between the computer and server.

Actually using LDAP alone for authentication is probably a bad idea as it will send passwords in clear text by default, unless you have SSL enabled on the server and client. If you don't have proper credentials to be adding this device to the domain, and can't ask someone to do it for you it brings up the question of if this is something you should be doing at all.
 
Old 05-23-2011, 02:30 AM   #3
grayFalcon
Member
 
Registered: Jan 2003
Distribution: Debian
Posts: 69

Original Poster
Rep: Reputation: 15
Thanks a lot for the info - though unfortunately I don't really have the choice of not using LDAP alone since I need several webapps to do LDAP authentication on that system anyways. And since the strength of a chain is the strength of its weakest link... Also, I could ask the domain administrator to perform the join, but - apart from the guy having enough to do without me pestering him - this brings along a host of other problems, such as the free version of NX refusing to work with ssh authentication against AD.

So, the question stands: Since I already have webapps authenticating against AD, how do I do this for ssh? Or at least for svn (what I'm trying to do is automatic svn repository creation through redmine, which works fine, but it would be great if those people actually could also access the repositories through svn+ssh)?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Aptitude: "join" on search terms gsakkis Debian 2 11-30-2009 04:12 PM
Passwordless ssh configuration with Active Directory authentication rsussman Linux - Software 1 06-05-2009 12:10 PM
Can't join Windows 2000 domain using net ads join The Cat Linux - Networking 2 09-23-2008 12:41 PM
Samba 3.0.0 installed on RH WS3, but "net join" command not found chloevu Linux - Networking 0 07-13-2004 04:20 PM
"net ads join" command not found with samba 3.0.2a tisource Linux - Networking 2 04-15-2004 04:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration