目前,我已经注意到当我将OpenSSH Server与PAM一起使用时,例如RADIUS,虽然我可以使用户通过PAM成功进行身份验证,但是我仍然需要/ etc / passwd中的本地用户帐户,例如,在框中添加了useradd。
OpenSSH中是否有任何设置可以说不需要本地用户是/ etc / passwd。而是通过一些默认设置来初始化shell / home dir / session?我无法找到任何在线方式。
中的配置/etc/nsswitch.conf
设置了查找用户的顺序。您可以检查getent passwd $USER
用户的解析方式。用户无需具有本地帐户即可登录。将passwd
和group
数据库绑定/etc/nsswitch.conf
到ldap,nis和/或sss,并在堆栈中使用适当的PAM模块。
使用SSSD和freeIPA的用例,其中用户,组,登录shell,sudo规则,SELinux映射等存储在freeIPA管理的目录中。请注意,SSHD使用GSSAPI对kerberos进行身份验证,该数据库的数据库也存储在该目录中:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
kdc = ipaserver.domain.com:88
master_kdc = ipaserver.domain.com:88
admin_server = ipaserver.domain.com:749
default_domain = domain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.crapsteak.org = DOMAIN.COM
crapsteak.org = DOMAIN.COM
[dbmodules]
DOMAIN.COM = {
db_library = ipadb.so
}
# grep sss /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
automount: files sss
# cat /etc/sssd/sssd.conf
[domain/domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = somehost.domain.com
chpass_provider = ipa
ipa_server = ipaserver.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = domain.com
# grep sss /etc/pam.d/{password,system}-auth-ac
/etc/pam.d/password-auth-ac:auth sufficient pam_sss.so use_first_pass
/etc/pam.d/password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/password-auth-ac:password sufficient pam_sss.so use_authtok
/etc/pam.d/password-auth-ac:session optional pam_sss.so
/etc/pam.d/system-auth-ac:auth sufficient pam_sss.so use_first_pass
/etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/system-auth-ac:password sufficient pam_sss.so use_authtok
/etc/pam.d/system-auth-ac:session optional pam_sss.so
# grep GSS /etc/ssh/sshd_config
GSSAPICleanupCredentials yes
GSSAPIAuthentication yes
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句