Package: openssh-server Version: 1:4.3p2-3 Severity: important
-- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openssh-server depends on: ii adduser 3.97 Add and remove users and groups ii debconf [debconf-2.0] 1.5.4 Debian configuration management sy ii dpkg 1.13.22 package maintenance system for Deb ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libcomerr2 1.39-1 common error description library ii libkrb53 1.4.4-1 MIT Kerberos runtime libraries ii libpam-modules 0.79-3.2 Pluggable Authentication Modules f ii libpam-runtime 0.79-3.2 Runtime support for the PAM librar ii libpam0g 0.79-3.2 Pluggable Authentication Modules l ii libselinux1 1.30.28-1 SELinux shared libraries ii libssl0.9.8 0.9.8c-1 SSL shared libraries ii libwrap0 7.6.dbs-11 Wietse Venema's TCP wrappers libra ii openssh-client 1:4.3p2-3 Secure shell client, an rlogin/rsh ii zlib1g 1:1.2.3-13 compression library - runtime openssh-server recommends no packages. -- debconf information: ssh/insecure_rshd: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: * ssh/disable_cr_auth: false Hello, I'm trying to use pam_access to manage users and root connection to host. But access restriction does not seem to apply to root user. For testing purpose, I try to deny root access using pam_access. The only lines I have in my /etc/security/access.conf are: #### CAUTION: ORDER _DOES_ MATTER. #### Grant access to it group members. +:it:ALL #### Deny acces to everyone from everywhere as fallback. -:ALL:ALL I've configured sshd to use PAM (UsePAM yes) and uncommented the right line in my /etc/pam.d/ssh file: # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. account required pam_access.so Login using authorized and unauthorized account works as expected but not for root. I still can log as root with thoses settings. Setting sshd log level to debug3 (LogLevel DEBUG3), I've found the following in my auth.log: .... Sep 29 15:06:08 foo pam_access[13939]: access denied for user `root' from `bar.net' Sep 29 15:06:08 foo sshd[13939]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success) .... Why ssh allow root connection since PAM deny access? Don't know if it can help, but when setting control for pam_access.so in /etc/pam.d/ssh to requisite, it works the way expected: .... Sep 29 15:13:27 slb02 pam_access[13975]: access denied for user `root' from `slb01.arbed.agn' Sep 29 15:13:27 slb02 sshd[13975]: debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) .... Sorry if this is not a bug or if has already been reported. Thanks for your help, cedric. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
