Enrique, > I can choose the hosts a unix user have access to by adding the "accessto" > attribute. > In every client, I have the next entry on pam_ldap.conf > > pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess) > (accessto=serverhostname). > > It works using ssh connections with password mechanism, gdm or just login. > > But Ive created a public key pair with ssh-keygen, and I can log in all the > clients ($HOME throw NFS) although my user has no "accessto" attribute for > these hosts. Looks like pam_filter is used only for filtering user data and not for the account management in the pam_ldap. Can you run your ssh server with -ddd flags, try to log in with user that has no 'accessto' attribute and see what stage of PAM rejected that user.
One more idea: do you use pam_nss? If yes, then pam_unix can let you in, because it looks up user using nsswitch. pam_nss (at least version 252) does not use pam_filter configuration item. Try to eliminate success=1 from pam_unix.so string below and see if it will help. > # /etc/pam.d/common-account - authorization settings common to all services > > account [success=1 default=ignore] pam_unix.so > account required pam_ldap.so > account required pam_permit.so -- Eygene
