SSH Group Authentication – Groups Differ from Local Ones When Logging in Remotely

We store our users in LDAP, alongside some groups that have meaning across different systems (organizational roles including wheel). There are also groups local to workstations, e.g. audio or video that are not desirable to be put into LDAP. Now if I log in locally I get those local groups, but if I log in via SSH into the same machine I lack them. They of course come back, if I use su straight afterwards. I may be on the wrong track, but suspect PAM.

Relevant entries from nsswitch.conf

passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap

As for pam, always the auth line, but the other lines are the same

/etc/pam.d/sshd

auth            include         system-remote-login

/etc/pam.d/system-remote-login (identical to system-local-login I might add)

auth            include         system-login

/etc/pam.d/system-login

auth            required        pam_tally2.so onerr=succeed
auth            required        pam_shells.so 
auth            required        pam_nologin.so 
auth            include         system-auth
auth            optional        pam_gnome_keyring.so

account         required        pam_access.so 
account         required        pam_nologin.so 
account         include         system-auth
account         required        pam_tally2.so onerr=succeed 

password        include         system-auth
password        optional        pam_gnome_keyring.so

session         optional        pam_loginuid.so
session         required        pam_env.so 
session         optional        pam_lastlog.so 
session         include         system-auth
session         optional        pam_gnome_keyring.so auto_start
session         optional        pam_motd.so motd=/etc/motd
session         optional        pam_mail.so

/etc/pam.d/su

auth       sufficient   pam_rootok.so
auth       required     pam_wheel.so use_uid
auth       include              system-auth

account    include              system-auth

password   include              system-auth

session    include              system-auth
session    required     pam_env.so
session    optional             pam_xauth.so

/etc/pam.d/common-auth:

auth    required     pam_group.so use_first_pass

What could be the problem and how would I solve it? I'm happy to provide other information needed.

Best Answer

I took heart today and finally solved it. The pam chain works like this

/etc/pam.d/sshd includes:
- /etc/pam.d/system-remote-login that includes:
  - /etc/pam.d/system-login that includes:
    - /etc/pam.d/system-auth which has an optional requirement

Apparently the last include does not work for some reason. The reason why I was so puzzled so far was that I trusted that these includes would work, which wasn't the case. If someone can explain why I'd be very grateful. I know this because if i add the line

auth    optional  pam_group.so

into the /etc/pam.d/system-login then it works.

Best Answer

Related Solutions

Ssh – Can SSH public key authentication use pam_group

Related Question