sshd: PAM + key authentication

Cédric Jonas cedric at
Sun Mar 4 17:14:20 UTC 2007

On Sun, 04 Mar 2007 16:39:29 +0000
Tom Judge <tom at> wrote:

> Cédric Jonas wrote:
> > Hi all,
> > 
> > I set up a some sshd servers which authenticates their users
> > through a LDAP DB. To realize this, I used PAM. 
> > Everything ok until now. 
> > 
> > Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I
> > only allowed logon on specifical hosts for some users.
> > After that, I tested this last functionality: I tried to login on a
> > disallowed host, and it fails - so it works as expected. For this
> > test, I used password authentication. Later, I tried the same test
> > with key authentication, and could log in...
> > After some more investigations, it seems sshd ignores PAM when
> > someone tries to log in with a key... is there some way to force
> > sshd to consider PAM in case of key authentication?
> > 
> > Thanks you,
> > 
> There are some patches available for sshd that allow you to control
> both the SSH keys using an LDAP database and which users can log on
> to the ssh server (using both password/key based authentication i
> believe [I have never personally tested with password auth as our
> servers are set to key based auth only]).  I can send patches against
> 6.1/6.2 if required.
> Tom

Thanks you, but I just found the problem: I used pam_filter to exclude
some user from specifics hosts, but this option is only verified in the
auth chain - which isn't used with key auth (seems to be clear, since
there isn't some password to be valided). So I try pam_check_host_attr,
which is verified in the account chain - which is also used when I try
to login with a key :-)

BTW: I saw that pam_unix doesn't implement something for
pam_sm_acct_mgmt except a return PAM_SUCCESS. 

Or, the manpage (pam_unix(8)) says:

"The function verifies that the authenticated user is allowed to login
to the local user account by checking the password expiry date."

I think it would be better to correct the entire manpage, since the
only function which implements something is pam_sm_authenticate.
If there are users whose rely on the manpage without testing their
configuration, they could get some surprises :-)

Cédric Jonas                                        cedric at

GPG ID:                                                         30CCFE8D
GPG Key:       
GPG Fingerprint:      CF03 E1FD 9428 1B6B E971  B107 9044 AA99 30CC FE8D

Jabber-ID:                                          cedric at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list