pam_ccreds

[Scott Ryan <scott@xxxxxxxxxxxxxxxxxx>]

Hi, I am trying to get disconnected login working using pam_ccreds. I
have setup ldap authentication and patched ssh to obtain the user's keys
also stored in ldap. 

When ldap is available, it works, users can login with no problems. When
ldap is not available, I have a local script to collect the ssh keys
from ldap and store them locally on the individual hosts. I also set
nsswitch.conf to use - files ldap db. My /etc/pam.d/system-auth is set
to use pam_ccreds and to top it off I use nss_updatedb to obtain passwd
and group info from ldap and cache it in /var/db every hour

ok, here is the issue: When ldap is not available, sshd can get the key
locally, but then pam_ldap fails and causes fatal error so the users
cannot login. 

However if i run getent passwd <user> or getent group <group>, when ldap
is not available, information is returned.

I read this article:
http://fcp.homelinux.org/modules/newbb/viewtopic.php?
topic_id=6757&viewmode=flat&order=ASC&start=0
(half way down the page) which leads me to believe that it can be done,
just a matter of how...

here is my system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
#auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
#auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
#auth        required      /lib/security/$ISA/pam_deny.so

auth        [user_unknown=ignore authinfo_unavail=ignore
authtok_err=ignore default=done]    pam_unix.so
auth        [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
use_first_pass
auth        [default=done]     pam_ccreds.so action=validate
use_first_pass
auth        [default=done]     pam_ccreds.so action=store
auth        optional     pam_ccreds.so action=update
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok
user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
minlen=8 lcredit=-1ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      pam_mkhomedir.so

any help would be very much appreciated


-- 
Regards,

slr +++ ISP Systems Specialist +++ Telkom Internet +++
key: 0x0B65ABDC - http://wwwkeys.pgp.net:11371

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/MU/E d? s+:+ a- C++++>+++++ USL++++$ P++++ !E(---)W+@ !N
o?(--) K? !w(---) O- M+ V PS+@ PE Y-- PGP++>+++ !t(---) !5 !X
R-- !tv b(++) DI++ !D(----) G+++>++++ e++>* h----(*) r+++ y++++
------END GEEK CODE BLOCK------

Attachment: signature.asc
Description: This is a digitally signed message part