Re: sshd: PAM + key authentication

2007-03-04 Thread Cédric Jonas
On Sun, 04 Mar 2007 16:39:29 +
Tom Judge <[EMAIL PROTECTED]> wrote:

> Cédric Jonas wrote:
> > Hi all,
> > 
> > I set up a some sshd servers which authenticates their users
> > through a LDAP DB. To realize this, I used PAM. 
> > Everything ok until now. 
> > 
> > Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I
> > only allowed logon on specifical hosts for some users.
> > After that, I tested this last functionality: I tried to login on a
> > disallowed host, and it fails - so it works as expected. For this
> > test, I used password authentication. Later, I tried the same test
> > with key authentication, and could log in...
> > After some more investigations, it seems sshd ignores PAM when
> > someone tries to log in with a key... is there some way to force
> > sshd to consider PAM in case of key authentication?
> > 
> > Thanks you,
> > 
> 
> There are some patches available for sshd that allow you to control
> both the SSH keys using an LDAP database and which users can log on
> to the ssh server (using both password/key based authentication i
> believe [I have never personally tested with password auth as our
> servers are set to key based auth only]).  I can send patches against
> 6.1/6.2 if required.
> 
> Tom


Thanks you, but I just found the problem: I used pam_filter to exclude
some user from specifics hosts, but this option is only verified in the
auth chain - which isn't used with key auth (seems to be clear, since
there isn't some password to be valided). So I try pam_check_host_attr,
which is verified in the account chain - which is also used when I try
to login with a key :-)


BTW: I saw that pam_unix doesn't implement something for
pam_sm_acct_mgmt except a return PAM_SUCCESS. 

Or, the manpage (pam_unix(8)) says:

"The function verifies that the authenticated user is allowed to login
to the local user account by checking the password expiry date."

I think it would be better to correct the entire manpage, since the
only function which implements something is pam_sm_authenticate.
If there are users whose rely on the manpage without testing their
configuration, they could get some surprises :-)

-- 
Cédric Jonas[EMAIL PROTECTED]

GPG ID: 30CCFE8D
GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc
GPG Fingerprint:  CF03 E1FD 9428 1B6B E971  B107 9044 AA99 30CC FE8D

Jabber-ID:  [EMAIL PROTECTED]


signature.asc
Description: PGP signature


Re: sshd: PAM + key authentication

2007-03-04 Thread Tom Judge

Cédric Jonas wrote:

Hi all,

I set up a some sshd servers which authenticates their users through a
LDAP DB. To realize this, I used PAM. 
Everything ok until now. 


Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I only
allowed logon on specifical hosts for some users.
After that, I tested this last functionality: I tried to login on a
disallowed host, and it fails - so it works as expected. For this test,
I used password authentication. Later, I tried the same test with key
authentication, and could log in...
After some more investigations, it seems sshd ignores PAM when someone
tries to log in with a key... is there some way to force sshd to
consider PAM in case of key authentication?

Thanks you,



There are some patches available for sshd that allow you to control both 
the SSH keys using an LDAP database and which users can log on to the 
ssh server (using both password/key based authentication i believe [I 
have never personally tested with password auth as our servers are set 
to key based auth only]).  I can send patches against 6.1/6.2 if required.


Tom
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"