Hello,
Im working on a simple network with a LDAP server and some clients. Ive
configured host based authentication based on pam_filter.
Im using 4.3p2 version on server and clients with
[...]
ChallengeResponseAuthentication no
UsePrivilegeSeparation yes
RSAAuthentication yes
PubkeyAuthentication yes
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
#UseLogin no
UsePAM yes
[...]
I can choose the hosts a unix user have access to by adding the "accessto"
attribute.
In every client, I have the next entry on pam_ldap.conf
pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)
(accessto=serverhostname).
It works using ssh connections with password mechanism, gdm or just login.
But Ive created a public key pair with ssh-keygen, and I can log in all the
clients ($HOME throw NFS) although my user has no "accessto" attribute for
these hosts.
My pam configuration:
# /etc/pam.d/common-account - authorization settings common to all services
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
# /etc/pam.d/common-auth - authentication settings common to all services
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
# /etc/pam.d/common-password - password-related modules common to all services
password required pam_cracklib.so retry=3 minlen=6 difok=3
password [success=1 default=ignore] pam_unix.so use_authtok md5
password required pam_ldap.so use_first_pass use_authtok md5
password required pam_permit.so
# /etc/pam.d/common-session - session-related modules common to all services
session required pam_unix.so
is this a ssh and PAM integration configuration problem?
Thanks in advance
Enrique
--
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. FĂsicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389
