sshd: PAM + key authentication

Tom Judge tom at
Sun Mar 4 16:37:58 UTC 2007

Cédric Jonas wrote:
> Hi all,
> I set up a some sshd servers which authenticates their users through a
> LDAP DB. To realize this, I used PAM. 
> Everything ok until now. 
> Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I only
> allowed logon on specifical hosts for some users.
> After that, I tested this last functionality: I tried to login on a
> disallowed host, and it fails - so it works as expected. For this test,
> I used password authentication. Later, I tried the same test with key
> authentication, and could log in...
> After some more investigations, it seems sshd ignores PAM when someone
> tries to log in with a key... is there some way to force sshd to
> consider PAM in case of key authentication?
> Thanks you,

There are some patches available for sshd that allow you to control both 
the SSH keys using an LDAP database and which users can log on to the 
ssh server (using both password/key based authentication i believe [I 
have never personally tested with password auth as our servers are set 
to key based auth only]).  I can send patches against 6.1/6.2 if required.


More information about the freebsd-questions mailing list