[Bug 2378] Allow login to a role using Hostbased auth on platforms supporting PAM_AUSER

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Apr 13 23:20:49 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2378

--- Comment #2 from Tomas Kuthan <tomas.kuthan at oracle.com> ---
Steps to reproduce/test
----

On the server:

echo 'HostBasedAuthentication yes' >>/etc/ssh/sshd_config
echo 'IgnoreRhosts no' >>/etc/ssh/sshd_config
svcadm restart ssh

roleadd -m testrole
useradd -m -R testrole testuser

cat >/etc/pam.d/sshd-hostbased <<EOF
auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth required           pam_unix_auth.so.1
auth required           pam_unix_cred.so.1
account requisite       pam_roles.so.1 allow_remote debug
account definitive      pam_user_policy.so.1
account required        pam_unix_account.so.1
account required        pam_tsol_account.so.1
session definitive      pam_user_policy.so.1
session required        pam_unix_session.so.1
@ password definitive     pam_user_policy.so.1
@ password include        pam_authtok_common
@ password required       pam_authtok_store.so.1
EOF

su - testrole
echo '192.168.0.1 testuser' >.shosts
ssh testuser at 192.168.0.1   # to populate known_hosts
^D


On the client:

echo 'EnableSSHKeysign yes' >>/etc/ssh/ssh_config
useradd -m testuser
su - testuser
ssh testrole at serverb.tkuthan.oracle.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list