From owner-freebsd-questions@FreeBSD.ORG  Sun Mar  4 17:14:20 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@FreeBSD.org
Delivered-To: freebsd-questions@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AB59F16A401
	for <freebsd-questions@FreeBSD.org>;
	Sun,  4 Mar 2007 17:14:20 +0000 (UTC)
	(envelope-from cedric@decemplex.net)
Received: from mail.decemplex.net (mail.decemplex.net [80.237.247.202])
	by mx1.freebsd.org (Postfix) with ESMTP id 3D2E213C428
	for <freebsd-questions@FreeBSD.org>;
	Sun,  4 Mar 2007 17:14:20 +0000 (UTC)
	(envelope-from cedric@decemplex.net)
Received: from localhost (mail.decemplex.net [80.237.247.202])
	by mail.decemplex.net (Postfix) with ESMTP id 628C77D1F40;
	Sun,  4 Mar 2007 18:14:19 +0100 (CET)
X-Virus-Scanned: amavisd-new at decemplex.net
Received: from mail.decemplex.net ([80.237.247.202])
	by localhost (mail.decemplex.net [80.237.247.202]) (amavisd-new,
	port 10024)
	with LMTP id DztCPRU6+l43; Sun,  4 Mar 2007 18:14:19 +0100 (CET)
Received: from decemplex.loc (170-177-112-217.dyn.adsl.belcenter.be
	[217.112.177.170])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.decemplex.net (Postfix) with ESMTP id A84C67D1F3E;
	Sun,  4 Mar 2007 18:14:18 +0100 (CET)
Date: Sun, 4 Mar 2007 18:14:06 +0100
From: =?ISO-8859-1?Q?C=E9dric?= Jonas <cedric@decemplex.net>
To: Tom Judge <tom@tomjudge.com>
Message-ID: <20070304181406.66e584b0@ganymed>
In-Reply-To: <45EAF641.2020603@tomjudge.com>
References: <20070303211438.4c759c33@ganymed> <45EAF641.2020603@tomjudge.com>
X-Mailer: Claws Mail 2.8.0 (GTK+ 2.10.9; i386-portbld-freebsd7.0)
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="Sig_5ar1TYxBb/J/hns0=N3BK2L";
	protocol="application/pgp-signature"; micalg=PGP-SHA1
Cc: freebsd-questions@FreeBSD.org
Subject: Re: sshd: PAM + key authentication
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Mar 2007 17:14:20 -0000

--Sig_5ar1TYxBb/J/hns0=N3BK2L
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Sun, 04 Mar 2007 16:39:29 +0000
Tom Judge <tom@tomjudge.com> wrote:

> C=E9dric Jonas wrote:
> > Hi all,
> >=20
> > I set up a some sshd servers which authenticates their users
> > through a LDAP DB. To realize this, I used PAM.=20
> > Everything ok until now.=20
> >=20
> > Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I
> > only allowed logon on specifical hosts for some users.
> > After that, I tested this last functionality: I tried to login on a
> > disallowed host, and it fails - so it works as expected. For this
> > test, I used password authentication. Later, I tried the same test
> > with key authentication, and could log in...
> > After some more investigations, it seems sshd ignores PAM when
> > someone tries to log in with a key... is there some way to force
> > sshd to consider PAM in case of key authentication?
> >=20
> > Thanks you,
> >=20
>=20
> There are some patches available for sshd that allow you to control
> both the SSH keys using an LDAP database and which users can log on
> to the ssh server (using both password/key based authentication i
> believe [I have never personally tested with password auth as our
> servers are set to key based auth only]).  I can send patches against
> 6.1/6.2 if required.
>=20
> Tom


Thanks you, but I just found the problem: I used pam_filter to exclude
some user from specifics hosts, but this option is only verified in the
auth chain - which isn't used with key auth (seems to be clear, since
there isn't some password to be valided). So I try pam_check_host_attr,
which is verified in the account chain - which is also used when I try
to login with a key :-)


BTW: I saw that pam_unix doesn't implement something for
pam_sm_acct_mgmt except a return PAM_SUCCESS.=20

Or, the manpage (pam_unix(8)) says:

"The function verifies that the authenticated user is allowed to login
to the local user account by checking the password expiry date."

I think it would be better to correct the entire manpage, since the
only function which implements something is pam_sm_authenticate.
If there are users whose rely on the manpage without testing their
configuration, they could get some surprises :-)

--=20
C=E9dric Jonas                                        cedric@decemplex.net

GPG ID:                                                         30CCFE8D
GPG Key:                 http://box.decemplex.net/~cedric/cedric.key.asc
GPG Fingerprint:      CF03 E1FD 9428 1B6B E971  B107 9044 AA99 30CC FE8D

Jabber-ID:                                          cedric@decemplex.net

--Sig_5ar1TYxBb/J/hns0=N3BK2L
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFF6v5okESqmTDM/o0RAkQyAKClogPXwDIe+0EdHDLc+e713I+ppQCfRCi8
dPbw6x4ltpyQRB+boUUyVBE=
=0M2/
-----END PGP SIGNATURE-----

--Sig_5ar1TYxBb/J/hns0=N3BK2L--