openssh usePAM publickey and pam_filter issue


Im working on a simple network with a LDAP server and some clients. Ive
configured host based authentication based on pam_filter.

Im using 4.3p2 version on server and clients with

ChallengeResponseAuthentication no
UsePrivilegeSeparation yes
RSAAuthentication yes
PubkeyAuthentication yes
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
#UseLogin no
UsePAM yes

I can choose the hosts a unix user have access to by adding the "accessto"
In every client, I have the next entry on pam_ldap.conf

pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)

It works using ssh connections with password mechanism, gdm or just login.

But Ive created a public key pair with ssh-keygen, and I can log in all the
clients ($HOME throw NFS) although my user has no "accessto" attribute for
these hosts.

My pam configuration:

# /etc/pam.d/common-account - authorization settings common to all services

account [success=1 default=ignore]
account required
account required

# /etc/pam.d/common-auth - authentication settings common to all services

auth [success=1 default=ignore]
auth required use_first_pass
auth required

# /etc/pam.d/common-password - password-related modules common to all services

password required retry=3 minlen=6 difok=3
password [success=1 default=ignore] use_authtok md5
password required use_first_pass use_authtok md5
password required

# /etc/pam.d/common-session - session-related modules common to all services
session required

is this a ssh and PAM integration configuration problem?

Thanks in advance


Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389