Date: Sun, 4 Mar 2007 18:14:06 +0100 From: =?ISO-8859-1?Q?C=E9dric?= Jonas <cedric@decemplex.net> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: sshd: PAM + key authentication Message-ID: <20070304181406.66e584b0@ganymed> In-Reply-To: <45EAF641.2020603@tomjudge.com> References: <20070303211438.4c759c33@ganymed> <45EAF641.2020603@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_5ar1TYxBb/J/hns0=N3BK2L Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Sun, 04 Mar 2007 16:39:29 +0000 Tom Judge <tom@tomjudge.com> wrote: > C=E9dric Jonas wrote: > > Hi all, > >=20 > > I set up a some sshd servers which authenticates their users > > through a LDAP DB. To realize this, I used PAM.=20 > > Everything ok until now.=20 > >=20 > > Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I > > only allowed logon on specifical hosts for some users. > > After that, I tested this last functionality: I tried to login on a > > disallowed host, and it fails - so it works as expected. For this > > test, I used password authentication. Later, I tried the same test > > with key authentication, and could log in... > > After some more investigations, it seems sshd ignores PAM when > > someone tries to log in with a key... is there some way to force > > sshd to consider PAM in case of key authentication? > >=20 > > Thanks you, > >=20 >=20 > There are some patches available for sshd that allow you to control > both the SSH keys using an LDAP database and which users can log on > to the ssh server (using both password/key based authentication i > believe [I have never personally tested with password auth as our > servers are set to key based auth only]). I can send patches against > 6.1/6.2 if required. >=20 > Tom Thanks you, but I just found the problem: I used pam_filter to exclude some user from specifics hosts, but this option is only verified in the auth chain - which isn't used with key auth (seems to be clear, since there isn't some password to be valided). So I try pam_check_host_attr, which is verified in the account chain - which is also used when I try to login with a key :-) BTW: I saw that pam_unix doesn't implement something for pam_sm_acct_mgmt except a return PAM_SUCCESS.=20 Or, the manpage (pam_unix(8)) says: "The function verifies that the authenticated user is allowed to login to the local user account by checking the password expiry date." I think it would be better to correct the entire manpage, since the only function which implements something is pam_sm_authenticate. If there are users whose rely on the manpage without testing their configuration, they could get some surprises :-) --=20 C=E9dric Jonas cedric@decemplex.net GPG ID: 30CCFE8D GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc GPG Fingerprint: CF03 E1FD 9428 1B6B E971 B107 9044 AA99 30CC FE8D Jabber-ID: cedric@decemplex.net --Sig_5ar1TYxBb/J/hns0=N3BK2L Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF6v5okESqmTDM/o0RAkQyAKClogPXwDIe+0EdHDLc+e713I+ppQCfRCi8 dPbw6x4ltpyQRB+boUUyVBE= =0M2/ -----END PGP SIGNATURE----- --Sig_5ar1TYxBb/J/hns0=N3BK2L--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070304181406.66e584b0>