David Latham

Introduction Using pre-shared SSH keys is a great way to make logging into remote hosts quick and easy.  No pesky passwords to remember.  The downside is that if your organization relies on passwords for access control, the pre-shared key will negate any password control you have.  For example: If your organization rolls a password for a system account, and the new password is not shared with all the original people, then some people who should not have access any more will continue to have access via their pre-shared key. Also, anyone with access to a user's account on a client host, could access the system account via the pre-shared key on the remote host.  This is not ideal. Sometimes, it is neccessary to allow certain commands only to be executed over SSH from specified client hosts without a password.  Especially when thinking about automated tasks. In my examples, I will demonstrate how we can create a simple remote procedure call type scenario using ...

Introduction This post describes all the millions of configuration files you need to set up on a CLIENT LINUX server / machine in order to ssh to it with your domain credentials. I have this working in a LAB environment with the following caveats: SELINUX disabled (work on this required) Firewall Disabled (not hard to fix this if required) DNS Setup not working completely for Forwarding to external Nameserver by Samba4.  Don't know why. (more investigation required) You will need to have a user called binduser which has permissions in AD to look up other users.  I am sure there is documentation on this around somewhere :) Install packages yum -y install samba-winbind pam_ldap pam_krb5 nss-pam-ldapd oddjob-mkhomedir bind-utils Configure openldap (/etc/openldap/ldap.conf) [root@linuxclient ~]# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=...