Hi folks,

We are using sssd with pam_sss to front end an LDAP database of users across our HPC clusters.  I'd like to plumb Moonshot in for ssh access, whilst retaining some LDAP only users.

Would I be right in thinking that in order to achieve this it would be practical to add pam_gss alongside pam_sss in /etc/pam.d/system-auth, /etc/pam.d/password-auth etc (CentOS based distro) ?  Anyone already had a crack at this?

The nuance is that all the users should exist in the LDAP database, but if someone comes in via the Moonshot route then we will try to authenticate them using Moonshot rather than the hashed password stored in LDAP.

Thanks in advance for any thoughts!

Cheers,

Martin

PS I'm aware of the parallel discussion about RADIUS attribute munging vs. the Shibboleth Transform plugin for deriving the local user ID.