user creation before authentication
Dag-Erling Smørgrav
des at des.no
Mon Nov 28 15:49:36 EST 2011
Gábor Zöld <zgabe84 at gmail.com> writes:
> I added the following line to /etc/pam.d/sshd to retrieve account
> information and I modified nsswitch too.(passwd: files ldap, group:
> files ldap)
> account required /usr/local/lib/pam_ldap.so
The "account" service is not used to "retrieve account information". It
is used after authentication has succeeded to determine whether the
account is valid, whether a password change is required etc.
PAM only provides authentication and authorization; NSS is responsible
for identification. Greatly simplified, identification is "who is Joe
Bloggs?", authentication is "can you prove that you're Joe Bloggs?" and
authorization is "is Joe Bloggs allowed to do this?"
The following article is a decent introduction to PAM:
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/article.html
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the openssh-unix-dev
mailing list