From owner-freebsd-questions@FreeBSD.ORG  Sun Mar  4 16:37:58 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@FreeBSD.org
Delivered-To: freebsd-questions@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5D8DF16A400
	for <freebsd-questions@FreeBSD.org>;
	Sun,  4 Mar 2007 16:37:58 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from smtp810.mail.ird.yahoo.com (smtp810.mail.ird.yahoo.com
	[217.146.188.70])
	by mx1.freebsd.org (Postfix) with SMTP id B683613C4A5
	for <freebsd-questions@FreeBSD.org>;
	Sun,  4 Mar 2007 16:37:57 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: (qmail 64319 invoked from network); 4 Mar 2007 16:37:56 -0000
Received: from unknown (HELO ?192.168.1.2?)
	(thomasjudge@btinternet.com@81.157.42.3 with plain)
	by smtp810.mail.ird.yahoo.com with SMTP; 4 Mar 2007 16:37:56 -0000
X-YMail-OSG: V_CNTBEVM1nlK.W02u1zS2vgufYn5xBOe0TGt3xOg4uh5hXf9_nRuf_.sKVH3oUXXxsPYfWkHWwqvq8eVkIu89sdKguI7uKc5aH3bzkSGz_KPcQR3uY-
Message-ID: <45EAF641.2020603@tomjudge.com>
Date: Sun, 04 Mar 2007 16:39:29 +0000
From: Tom Judge <tom@tomjudge.com>
User-Agent: Thunderbird 1.5.0.9 (X11/20070104)
MIME-Version: 1.0
To: =?ISO-8859-1?Q?C=E9dric_Jonas?= <cedric@decemplex.net>
References: <20070303211438.4c759c33@ganymed>
In-Reply-To: <20070303211438.4c759c33@ganymed>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@FreeBSD.org
Subject: Re: sshd: PAM + key authentication
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Mar 2007 16:37:58 -0000

Cédric Jonas wrote:
> Hi all,
> 
> I set up a some sshd servers which authenticates their users through a
> LDAP DB. To realize this, I used PAM. 
> Everything ok until now. 
> 
> Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I only
> allowed logon on specifical hosts for some users.
> After that, I tested this last functionality: I tried to login on a
> disallowed host, and it fails - so it works as expected. For this test,
> I used password authentication. Later, I tried the same test with key
> authentication, and could log in...
> After some more investigations, it seems sshd ignores PAM when someone
> tries to log in with a key... is there some way to force sshd to
> consider PAM in case of key authentication?
> 
> Thanks you,
> 

There are some patches available for sshd that allow you to control both 
the SSH keys using an LDAP database and which users can log on to the 
ssh server (using both password/key based authentication i believe [I 
have never personally tested with password auth as our servers are set 
to key based auth only]).  I can send patches against 6.1/6.2 if required.

Tom