On Sun, 04 Mar 2007 16:39:29 +0000 Tom Judge <[EMAIL PROTECTED]> wrote:
> Cédric Jonas wrote: > > Hi all, > > > > I set up a some sshd servers which authenticates their users > > through a LDAP DB. To realize this, I used PAM. > > Everything ok until now. > > > > Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I > > only allowed logon on specifical hosts for some users. > > After that, I tested this last functionality: I tried to login on a > > disallowed host, and it fails - so it works as expected. For this > > test, I used password authentication. Later, I tried the same test > > with key authentication, and could log in... > > After some more investigations, it seems sshd ignores PAM when > > someone tries to log in with a key... is there some way to force > > sshd to consider PAM in case of key authentication? > > > > Thanks you, > > > > There are some patches available for sshd that allow you to control > both the SSH keys using an LDAP database and which users can log on > to the ssh server (using both password/key based authentication i > believe [I have never personally tested with password auth as our > servers are set to key based auth only]). I can send patches against > 6.1/6.2 if required. > > Tom Thanks you, but I just found the problem: I used pam_filter to exclude some user from specifics hosts, but this option is only verified in the auth chain - which isn't used with key auth (seems to be clear, since there isn't some password to be valided). So I try pam_check_host_attr, which is verified in the account chain - which is also used when I try to login with a key :-) BTW: I saw that pam_unix doesn't implement something for pam_sm_acct_mgmt except a return PAM_SUCCESS. Or, the manpage (pam_unix(8)) says: "The function verifies that the authenticated user is allowed to login to the local user account by checking the password expiry date." I think it would be better to correct the entire manpage, since the only function which implements something is pam_sm_authenticate. If there are users whose rely on the manpage without testing their configuration, they could get some surprises :-) -- Cédric Jonas [EMAIL PROTECTED] GPG ID: 30CCFE8D GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc GPG Fingerprint: CF03 E1FD 9428 1B6B E971 B107 9044 AA99 30CC FE8D Jabber-ID: [EMAIL PROTECTED]
signature.asc
Description: PGP signature