I have the following setup:
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account [success=ok perm_denied=die
account required /lib/security/pam_unix_acct.so
password sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_unix_session.so
User logins are filtered by the line
in /etc/ldap.conf. All the conf files are soft links to this file.
The configuration works for a user without a certificate. Which is to
say, users belonging to the correct group as defined in the filter can
login, others cannot.
If the user has an ssh certificate pair, and the public key appears on
the target, and there is no password needed, the pam_filter is not
Is there any way to ensure that even users with certificates have to
pass the pam_filter?