Hi.
I have the following setup:
pam.d/ssh #%PAM0.0 auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass account [success=ok perm_denied=die default=ignore] /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password sufficient /lib/security/pam_ldap.so session required /lib/security/pam_unix_session.so
User logins are filtered by the line pam_filter in /etc/ldap.conf. All the conf files are soft links to this file.
The configuration works for a user without a certificate. Which is to say, users belonging to the correct group as defined in the filter can login, others cannot.
If the user has an ssh certificate pair, and the public key appears on the target, and there is no password needed, the pam_filter is not used.
Is there any way to ensure that even users with certificates have to pass the pam_filter?
Thanks,
Peter
openldap-technical@openldap.org