sshd: PAM + key authentication
tom at tomjudge.com
Sun Mar 4 16:37:58 UTC 2007
Cédric Jonas wrote:
> Hi all,
> I set up a some sshd servers which authenticates their users through a
> LDAP DB. To realize this, I used PAM.
> Everything ok until now.
> Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I only
> allowed logon on specifical hosts for some users.
> After that, I tested this last functionality: I tried to login on a
> disallowed host, and it fails - so it works as expected. For this test,
> I used password authentication. Later, I tried the same test with key
> authentication, and could log in...
> After some more investigations, it seems sshd ignores PAM when someone
> tries to log in with a key... is there some way to force sshd to
> consider PAM in case of key authentication?
> Thanks you,
There are some patches available for sshd that allow you to control both
the SSH keys using an LDAP database and which users can log on to the
ssh server (using both password/key based authentication i believe [I
have never personally tested with password auth as our servers are set
to key based auth only]). I can send patches against 6.1/6.2 if required.
More information about the freebsd-questions