openssh usePAM publickey and pam_filter issue




Hello,

Im working on a simple network with a LDAP server and some clients. Ive
configured host based authentication based on pam_filter.

Im using 4.3p2 version on server and clients with

[...]
ChallengeResponseAuthentication no
UsePrivilegeSeparation yes
RSAAuthentication yes
PubkeyAuthentication yes
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
#UseLogin no
UsePAM yes
[...]


I can choose the hosts a unix user have access to by adding the "accessto"
attribute.
In every client, I have the next entry on pam_ldap.conf

pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)
(accessto=serverhostname).

It works using ssh connections with password mechanism, gdm or just login.

But Ive created a public key pair with ssh-keygen, and I can log in all the
clients ($HOME throw NFS) although my user has no "accessto" attribute for
these hosts.

My pam configuration:

# /etc/pam.d/common-account - authorization settings common to all services

account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so

# /etc/pam.d/common-auth - authentication settings common to all services

auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so

# /etc/pam.d/common-password - password-related modules common to all services

password required pam_cracklib.so retry=3 minlen=6 difok=3
password [success=1 default=ignore] pam_unix.so use_authtok md5
password required pam_ldap.so use_first_pass use_authtok md5
password required pam_permit.so

# /etc/pam.d/common-session - session-related modules common to all services
session required pam_unix.so


is this a ssh and PAM integration configuration problem?



Thanks in advance

Enrique

--
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389