<div dir="ltr"><div>You should look in:<br></div><div><br></div><div>cat /etc/pam.d/sshd <br>#%PAM-1.0<br>auth required pam_sepermit.so<br>auth include password-auth<br>account required pam_nologin.so<br>
account include password-auth<br>password include password-auth<br># pam_selinux.so close should be the first session rule<br>session required pam_selinux.so close<br>session required pam_loginuid.so<br>
# pam_selinux.so open should only be followed by sessions to be executed in the user context<br>session required pam_selinux.so open env_params<br>session optional pam_keyinit.so force revoke<br>session include password-auth<br>
<br>See the sections on auth_include passwd-auth<br></div><div><br></div><div>be super careful how pam evaluates the modules is very complex.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Oct 21, 2013 at 4:23 PM, Mark Saad <span dir="ltr"><<a href="mailto:mark.saad@ymail.com" target="_blank">mark.saad@ymail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi talk<br></div> Its monday and I have forgotten how to make this magic happen . How do I tell pam.d/sshd that "you can never use a password" ? I have tried "PasswordAuthentication no" in sshd_config but its not working. <br>
<br></div>What I am trying to do , is to have users and groups out of ldap, public keys in $HOME, pam_ssh to make sure you have a working agent that is loaded with a passphrase protected key and for the server to never prompt you for a password (In the event of the agent not running or ldap being unreachable ) I don't want to see a password prompt from either ldap or pam_ssh . <br>
<br></div>Any ideas ?<span class="HOEnZb"><font color="#888888"><br><br><div><div><div><div><div>-- <br><br>Mark Saad | <a href="mailto:mark.saad@ymail.com" target="_blank">mark.saad@ymail.com</a>
</div></div></div></div></div></font></span></div>
<br>_______________________________________________<br>
talk mailing list<br>
<a href="mailto:talk@lists.nycbug.org">talk@lists.nycbug.org</a><br>
<a href="http://www.nycbug.org/mailman/listinfo/talk" target="_blank">http://www.nycbug.org/mailman/listinfo/talk</a><br></blockquote></div><br></div>