openssh usePAM publickey and pam_filter issue




Hello,

Im working on a simple network with a LDAP server and some clients. Ive
configured host based authentication based on pam_filter.

Im using 4.3p2 version on server and clients with

[...]
ChallengeResponseAuthentication no
UsePrivilegeSeparation yes
RSAAuthentication yes
PubkeyAuthentication yes
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
#UseLogin no
UsePAM yes
[...]


I can choose the hosts a unix user have access to by adding the "accessto"
attribute.
In every client, I have the next entry on pam_ldap.conf

pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)
(accessto=serverhostname).

It works using ssh connections with password mechanism, gdm or just login.

But Ive created a public key pair with ssh-keygen, and I can log in all the
clients ($HOME throw NFS) although my user has no "accessto" attribute for
these hosts.

My pam configuration:

# /etc/pam.d/common-account - authorization settings common to all services

account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so

# /etc/pam.d/common-auth - authentication settings common to all services

auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so

# /etc/pam.d/common-password - password-related modules common to all services

password required pam_cracklib.so retry=3 minlen=6 difok=3
password [success=1 default=ignore] pam_unix.so use_authtok md5
password required pam_ldap.so use_first_pass use_authtok md5
password required pam_permit.so

# /etc/pam.d/common-session - session-related modules common to all services
session required pam_unix.so


is this a ssh and PAM integration configuration problem?



Thanks in advance

Enrique

--
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389



Relevant Pages

  • Re: Security Appliance With 12 Network Segments
    ... It isn't true that changing the configuration locally on a number of ... hosts is significantly harder than changing a couple lines in one ... Most clients don't. ...
    (comp.security.firewalls)
  • Re: Route tables
    ... > gateway does do NAT. ... ethernet card's configuration (which is usually why the lo interface ... One end plugs into their router, ... -- all hosts configured to use same network ...
    (comp.os.linux.networking)
  • Re: VPN Settup
    ... search for HOSTS or LMHOSTS. ... > with entries for all machines on the LAN you need to access by name. ... >> clients do not need to be domain members to access resources, ...
    (microsoft.public.isa.vpn)
  • Re: VPN Settup
    ... search for HOSTS or LMHOSTS. ... > with entries for all machines on the LAN you need to access by name. ... >> clients do not need to be domain members to access resources, ...
    (microsoft.public.win2000.ras_routing)
  • Re: Outlook 2003 SP1 upgrade - Rules no longer work properly.
    ... Most of our mailboxes use Outlook 2000 or XP and that was the configuration ... our clients to 2003 and for the timebeing we wanted to keep a common ... >>> 3) Set the delivery location to the Personal Folders file ... >>>> server mailbox and doesn't then get moved into the mailbox residing ...
    (microsoft.public.outlook.general)