>> It wasn't working until I enabled
>> PAMAuthenticationViaKbdInt.
> I thought it started working when you added the users' home dir (or
> pam_mkhomedir). Are you sure about that fix?
I could have sworn that was when it started working (/me looks back through
notes). The pam_mkhomedir wasn't added until a few minutes later. It was
then when I noticed a message referencing a missing user home directory that
pam_mkhomedir was added.
Just turned it off and removed pam_mkhomedir. Still able to login with
several accounts just fine. Weird. Didn't do that before :-) I'm tabling
that until later. The point is I can log in now.
>> Problem is I'm requiring it for security reasons. Tough call. 777 to /home
>> or no priv seperation. I think I'll check out the PAM modules code and see
>> if there is a work around.
>I don't know. Are the home directories that are created when you set
/home to 777 owned by the correct user, or by sshd?
Ok. Set home to 777 and added pam_mkhomedir again to system-auth. When I
login it creates the users home directory just fine. The user is the owner
of the directory. Interesting... If I can do the same thing with the
default /home rights then I'm set. Looks like it switches to the user
account then creates the user's home directory. Bummer :-(
> By default, anyone in the world can connect to the LDAP server and read
> data that's not private. There's nothing insecure about that (except
> for the binding part, but you should be filtering these connections at
> your edge firewall).
We are. However the requirements are pretty strict as defined by my
employer. I'm hoping to convince them it's unnecessary.
{snip}
> * stores the username/password in plain text on every machine you
configure as an LDAP client
> * sends the username/password over the network, usually in plain text
> The last two are where anonymous access is actually more secure than
> forcing authentication for any read access. The data that's readable is
> not sensitive, so avoiding management logins just means that there's
> less privilege that's likely to be escalated.
Is this also the case when using TLS and LDAP?
I really do appreciate your assistence! !
I've never dived this deep into LDAP and PAM before. Getting comfortable
with the two finally :-)
Thx again!
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
