Bypass LDAP PAM authentication when ssh as local user

Question

I want to ssh into a host using a local user and want to know how to configure it the best way, preferably that requires only changes on that host and not on the LDAP backend.

Currently I get this error and it appears that authentication for the local user is attempted via LDAP/PAM : debug1: PAM: password authentication failed for USER: Authentication failure

Based on some directions I found already, I did these changes but that doesn't help:

1. Added below line to /etc/security/access.conf:

+ : USER_UNIX_GROUP : ALL

2. In /etc/pam.d/sshd, added the following line:

auth sufficient pam_succeed_if.so user ingroup USER_UNIX_GROUP

The above settings get to these state, but don't know how to get the user to be locally authenticated without having to disable PAM in ssh (which is not an option):

Jun 2 15:54:04 HOST sshd[29907]: pam_succeed_if(sshd:auth): requirement "user ingroup demo" was met by user "USER"

Jun 2 15:54:04 HOST sshd[29907]: Failed password for USER from SOURCE_IP port 42522 ssh2

Answer 1

I think you need to look at the nsswith.conf (or whatever you OS uses) and set soemething like:

passwd:     files ldap
group:      files ldap

This should look at files first and then LDAP.

Be carfull. There are a lot of parameters for PAM. Make on change at a time and document what you did.

Might also try some simple steps for diagnostics:

getent passwd userid

Should show the parameters for the userID.

getent netgroup sysadmin
sysadmin   (sa.willeke.com, , ) (xenhost.willeke.com, , )

Should show the parameters for the netgroup.