Re: openssh usePAM publickey and pam_filter issue
- From: Enrique de la Torre Gordaliza <enrique.delatorre@xxxxxxxxxx>
- Date: Thu, 31 Aug 2006 12:19:26 +0200
El Jueves, 31 de Agosto de 2006 08:30, escribió:
I can choose the hosts a unix user have access to by adding the
In every client, I have the next entry on pam_ldap.conf
It works using ssh connections with password mechanism, gdm or just
But Ive created a public key pair with ssh-keygen, and I can log in all
the clients ($HOME throw NFS) although my user has no "accessto"
attribute for these hosts.
Looks like pam_filter is used only for filtering user data and not
for the account management in the pam_ldap. Can you run your ssh server
with -ddd flags, try to log in with user that has no 'accessto' attribute
and see what stage of PAM rejected that user.
One more idea: do you use pam_nss? If yes, then pam_unix can let you
in, because it looks up user using nsswitch. pam_nss (at least version 252)
does not use pam_filter configuration item. Try to eliminate success=1
from pam_unix.so string below and see if it will help.
Really, it is a libnss issue. Ive not changed account pam configuration, just
shadow: files ldap
Its reported at README.Debian on libpam-ldap.
# /etc/pam.d/common-account - authorization settings common to all
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389
- Prev by Date: Re: openssh usePAM publickey and pam_filter issue
- Next by Date: RE: Need some education: Man-in-the-Middle Attacks
- Previous by thread: Re: openssh usePAM publickey and pam_filter issue