Re: OpenSSH and PAM



GNUtoo@xxxxxxxxxx wrote:
Hello,
I'd like to use only PAM(for requiring additional restrictions) for
OpenSSH authentications and I'd like to have:
*key authentications
*s/key like authentications but more secure(because I was told that the
randomness of the s/key passwords is not secure nowadays)
(and additional things such as anti-brute-force system for PAM and logins
restrictions based on the time/date)

but I haven't been successful so far...
I first wanted to forbid others account than the ones listed in
/etc/ssh/sshd.allow: I've done the following
in /etc/ssh/sshd_config I've used PAM:
UsePAM yes
normal passwords were disabled,key enabled and s/key disabled
and I added:
auth required pam_listfile.so item=user sense=allow
[...]
but it didn't work...account not listed in the file could still login via SSH

... using public-key authentication:

debug1: matching key found: file /home/xxx/.ssh/authorized_keys, line 1

SSH's public-key authentication does not use the PAM auth stack (it can't) but it does use the account stack for all auth types. Add your pam_listfile to the account stack and it should do what you want.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.