sshd: PAM + key authentication
cedric at decemplex.net
Sun Mar 4 17:14:20 UTC 2007
On Sun, 04 Mar 2007 16:39:29 +0000
Tom Judge <tom at tomjudge.com> wrote:
> Cédric Jonas wrote:
> > Hi all,
> > I set up a some sshd servers which authenticates their users
> > through a LDAP DB. To realize this, I used PAM.
> > Everything ok until now.
> > Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I
> > only allowed logon on specifical hosts for some users.
> > After that, I tested this last functionality: I tried to login on a
> > disallowed host, and it fails - so it works as expected. For this
> > test, I used password authentication. Later, I tried the same test
> > with key authentication, and could log in...
> > After some more investigations, it seems sshd ignores PAM when
> > someone tries to log in with a key... is there some way to force
> > sshd to consider PAM in case of key authentication?
> > Thanks you,
> There are some patches available for sshd that allow you to control
> both the SSH keys using an LDAP database and which users can log on
> to the ssh server (using both password/key based authentication i
> believe [I have never personally tested with password auth as our
> servers are set to key based auth only]). I can send patches against
> 6.1/6.2 if required.
Thanks you, but I just found the problem: I used pam_filter to exclude
some user from specifics hosts, but this option is only verified in the
auth chain - which isn't used with key auth (seems to be clear, since
there isn't some password to be valided). So I try pam_check_host_attr,
which is verified in the account chain - which is also used when I try
to login with a key :-)
BTW: I saw that pam_unix doesn't implement something for
pam_sm_acct_mgmt except a return PAM_SUCCESS.
Or, the manpage (pam_unix(8)) says:
"The function verifies that the authenticated user is allowed to login
to the local user account by checking the password expiry date."
I think it would be better to correct the entire manpage, since the
only function which implements something is pam_sm_authenticate.
If there are users whose rely on the manpage without testing their
configuration, they could get some surprises :-)
Cédric Jonas cedric at decemplex.net
GPG ID: 30CCFE8D
GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc
GPG Fingerprint: CF03 E1FD 9428 1B6B E971 B107 9044 AA99 30CC FE8D
Jabber-ID: cedric at decemplex.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070304/091b3be9/signature.pgp
More information about the freebsd-questions