commit aa1cc794ca301e679308ef2abe382c4df73fc6d8 parent ee649586dbb77f3800c68f791335533db7c1b29d Author: decentral1se <cellarspoon@riseup.net> Date: Tue, 16 Jun 2026 19:29:17 +0200 docs(eik): pam setup Diffstat:
| M | eik.mdwn | | | 4 | ++++ |
1 file changed, 4 insertions(+), 0 deletions(-)
diff --git a/eik.mdwn b/eik.mdwn @@ -328,3 +328,7 @@ Here's an example `nginx` configuration. ### nss See `/etc/rauthy/rauthy-pam-nss.toml` for the configuration. You can `journalctl -fu rauthy-nss` to see what's going down. The simplest test is to run `getent hosts`. The hosts are configured under `Pam > Hosts` in the `rauthy` web UI. + +### pam + +PAM users need to be created on the Rauthy admin side of things, connected to a normal user account via email. See `/etc/pam.d` for all adjusted configurations where the PAM system can ask Rauthy via API for additional login details. You can `tail -f /var/log/auth.log` to see how a log in attempt is responded to. Use the `/usr/sbin/rauthy-authorized-keys <username>` command to retrieve a SSH public key part for a specific user. The `/etc/ssh/sshd_config` is a part of the puzzle, with 2 options: 1) allowing password login with `PasswordAuthentication`. The passwords are ephemerally generated on the Rauthy user self-service UI 2) allowing `/usr/sbin/rauthy-authorized-keys` lookup with `AuthorizedKeysCommand`. We configure these options on a per-user basis.