Re: openssh usePAM publickey and pam_filter issue



El Jueves, 31 de Agosto de 2006 08:30, escribió:
Enrique,

I can choose the hosts a unix user have access to by adding the
"accessto" attribute.
In every client, I have the next entry on pam_ldap.conf

pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)
(accessto=serverhostname).

It works using ssh connections with password mechanism, gdm or just
login.

But Ive created a public key pair with ssh-keygen, and I can log in all
the clients ($HOME throw NFS) although my user has no "accessto"
attribute for these hosts.

Looks like pam_filter is used only for filtering user data and not
for the account management in the pam_ldap. Can you run your ssh server
with -ddd flags, try to log in with user that has no 'accessto' attribute
and see what stage of PAM rejected that user.

One more idea: do you use pam_nss? If yes, then pam_unix can let you
in, because it looks up user using nsswitch. pam_nss (at least version 252)
does not use pam_filter configuration item. Try to eliminate success=1
from pam_unix.so string below and see if it will help.

Really, it is a libnss issue. Ive not changed account pam configuration, just
change

shadow: files ldap

to

shadow: files

on nsswitch.conf

Its reported at README.Debian on libpam-ldap.

Thanks

Enrique



# /etc/pam.d/common-account - authorization settings common to all
services

account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so

--
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389