I'm configuring some servers to use LDAP (via PAM) to authenticate users. Additionally, I use pam_group to add all users to some system groups like audio/video/vboxusers/….
My PAM configuration works fine with most services (su, login and sudo all take pam_group into account), but not with SSH. Specifically, when I authenticate with a public key, groups are not added from /etc/security/group.conf, but they are when I authenticate with a password.
Looking around, I've found that SSH public key authentication bypasses the PAM stack and sets user credentials by itself, so it ignores PAM-specific configurations such as pam_group. Weirdly, LDAP groups — which are usually set by pam_ldap — are set in all cases, password or no.
I'd like the user experience to be as predictable as possible for my users, so that they're always members of the same set of groups regardless of their authentication method. Is there any way to configure SSH to add groups from /etc/security/group.conf when using pubkey authentication ?
Thanks in advance,
Best Answer
Probably not.
The man page for
pam_group
says:And since SSH doesn't use PAM to authenticate when it uses public keys, the
auth
modules are not used.As to why
pam_group
only works as anauth
module and not as asession
module, I can't say.