> Max Bowsher maxb-at-ukf.net |Lists| wrote:
> > I haven't done it myself, but I'd be surprised if there wasn't a way
> > to gat PAM (and therefore ssh, and therefore svn+ssh) authenticating
> > against the AD.
>
> Patrick Smears patrick.smears-at-ensoft.co.uk |Lists| wrote:
> > I was just about to suggest this... I don't have much
> experience with
> > AD, but it's certainly fairly easy to have SSH authenticate against
> > an NT domain... look up the "pam_smb.auth.so" PAM module.
>
> ssh without ssh-add, yes. But that would require password
> prompting on
> every operation just like for http://
>
> But not ssh-agent. ssh-agent asks for the password embedded in
> the (local) private key file, not the one stored in
> /etc/password or in
> PAM or whereever on the remote machine. If the key file has a
> password,
> no amount of Active Directory will open it without the
> password, and if
> the key file doesn't have a password, it would be possible to use it
> without any Active Directory checking.
You are right - clearly it's too early in the morning for me to be posting
:-). But this might suggest a possible way towards solving the problem: the
original poster needs a solution where access can be revoked on the central
Active Directory server. It may be possible to modify pam_smb_auth.so so
that, rather than requiring a username/password, it simply checks whether
the account exists and has not been disabled. But that may be more work than
anyone's prepared to do...
Another potential route to a solution: it's possible (on a Linux machine) to
check whether an account exists and is enabled (in an NT domain) as follows:
rpcclient -U myname server -c 'samlookupnames domain usertocheck'
<outputs a line "name usertocheck: 0x123 (1)">
rpcclient -U myname server -c 'queryuser 0x123'
<outputs a lot of data, including a line 'acb_info : 0210'
(this could be easily done by a shell script!) The bottom bit of the
'acb_info' number is 1 if the account is disabled (i.e. if the account above
were disabled, it would be '0211' rather than '0210').
Does anyone know if it's possible for PAM and/or sshd to perform
authentication/authorisation based on a shell script?
Alternatively, does installing OpenSSH sshd under Cygwin give what's wanted,
i.e. permit logins by public key only when the user exists in AD?
Patrick
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 26 13:13:55 2004