openssh usePAM publickey and pam_filter issue




Hello,

Im working on a simple network with a LDAP server and some clients. Ive
configured host based authentication based on pam_filter.

Im using 4.3p2 version on server and clients with

[...]
ChallengeResponseAuthentication no
UsePrivilegeSeparation yes
RSAAuthentication yes
PubkeyAuthentication yes
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
#UseLogin no
UsePAM yes
[...]


I can choose the hosts a unix user have access to by adding the "accessto"
attribute.
In every client, I have the next entry on pam_ldap.conf

pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)
(accessto=serverhostname).

It works using ssh connections with password mechanism, gdm or just login.

But Ive created a public key pair with ssh-keygen, and I can log in all the
clients ($HOME throw NFS) although my user has no "accessto" attribute for
these hosts.

My pam configuration:

# /etc/pam.d/common-account - authorization settings common to all services

account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so

# /etc/pam.d/common-auth - authentication settings common to all services

auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so

# /etc/pam.d/common-password - password-related modules common to all services

password required pam_cracklib.so retry=3 minlen=6 difok=3
password [success=1 default=ignore] pam_unix.so use_authtok md5
password required pam_ldap.so use_first_pass use_authtok md5
password required pam_permit.so

# /etc/pam.d/common-session - session-related modules common to all services
session required pam_unix.so


is this a ssh and PAM integration configuration problem?



Thanks in advance

Enrique

--
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389



Relevant Pages

  • Re: Security Appliance With 12 Network Segments
    ... It isn't true that changing the configuration locally on a number of ... hosts is significantly harder than changing a couple lines in one ... Most clients don't. ...
    (comp.security.firewalls)
  • Re: Route tables
    ... > gateway does do NAT. ... ethernet card's configuration (which is usually why the lo interface ... One end plugs into their router, ... -- all hosts configured to use same network ...
    (comp.os.linux.networking)
  • Re: VPN Settup
    ... search for HOSTS or LMHOSTS. ... > with entries for all machines on the LAN you need to access by name. ... >> clients do not need to be domain members to access resources, ...
    (microsoft.public.isa.vpn)
  • Re: VPN Settup
    ... search for HOSTS or LMHOSTS. ... > with entries for all machines on the LAN you need to access by name. ... >> clients do not need to be domain members to access resources, ...
    (microsoft.public.win2000.ras_routing)
  • Re: http://companyweb
    ... I am not using DHCP on my W98 clients. ... legacy from the configuration of our old NT 4.0 server ... It logged into the network ...
    (microsoft.public.windows.server.sbs)