user creation before authentication

Dag-Erling Smørgrav des at des.no
Mon Nov 28 15:49:36 EST 2011


Gábor Zöld <zgabe84 at gmail.com> writes:
> I added the following line to /etc/pam.d/sshd to retrieve account
> information and I modified nsswitch too.(passwd: files ldap, group:
> files ldap)
> account         required        /usr/local/lib/pam_ldap.so

The "account" service is not used to "retrieve account information".  It
is used after authentication has succeeded to determine whether the
account is valid, whether a password change is required etc.

PAM only provides authentication and authorization; NSS is responsible
for identification.  Greatly simplified, identification is "who is Joe
Bloggs?", authentication is "can you prove that you're Joe Bloggs?" and
authorization is "is Joe Bloggs allowed to do this?"

The following article is a decent introduction to PAM:

http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/article.html

DES
-- 
Dag-Erling Smørgrav - des at des.no


More information about the openssh-unix-dev mailing list