Sakari Ailus
2002-Feb-13 21:28 UTC
Problem with using both pam_listfile to deny logins and pubkey authentication
Hi, I'm trying to use pam_listfile.so to deny logins from all others but few users (names in /etc/loginusers). With password authentication it works fine, but with public key authentication OpenSSH lets in users whose names arent't in /etc/loginusers. AllowUsers in sshd_config does what one would expect. I'm using OpenSSH-3.0.2p1 on Debian testing (package version 1:3.0.2p1-6) and tried this also on stable (OpenSSH package version 1:3.0.1p1-0 from unstable); the situation is same there. Has anyone else noticed this or is it Debian's or my own problem? /etc/pam.d/ssh: --- #%PAM-1.0 auth required pam_listfile.so item=user sense=allow file=/etc/loginusers onerr=fail auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so # [1] session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so password required pam_unix.so --- -- Sakari Ailus sakari.ailus at luukku.com
Darren Moffat
2002-Feb-13 21:37 UTC
Problem with using both pam_listfile to deny logins and pubkey authentication
>I'm trying to use pam_listfile.so to deny logins from all others but few >users (names in /etc/loginusers). With password authentication it works >fine, but with public key authentication OpenSSH lets in users whose >names arent't in /etc/loginusers. AllowUsers in sshd_config does what >one would expect.This is NOT a problem with OpenSSH it does all the correct PAM calls. The problem is your PAM module. You have it listed against auth which makes me belive it is implmenting pam_authenticate. This is NOT an auth action it is an account mangement action. I have a very similar module that I wrote but it does it correctly as a pam_sm_acct_mgmt() implementation not a pam_sm_authenticate().>Has anyone else noticed this or is it Debian's or my own problem?Who ever wrote the pam_listfile module, they didn't fully understand what they were writting. Authentication in PAM is about proving to the system who you are. Account Management is about the system deciding if the already authenticated user (either via PAM or external means in the case of ssh with public keys or cron) is allowed into this machine at this time. You have my permission to forward this message to the author of the pam_listfile module. -- Darren J Moffat
Damien Miller
2002-Feb-13 21:45 UTC
Problem with using both pam_listfile to deny logins and pubkey authentication
On Wed, 13 Feb 2002, Sakari Ailus wrote:> Hi, > > I'm trying to use pam_listfile.so to deny logins from all others but few > users (names in /etc/loginusers). With password authentication it works > fine, but with public key authentication OpenSSH lets in users whose > names arent't in /etc/loginusers. AllowUsers in sshd_config does what > one would expect.> auth required pam_listfile.so item=user sense=allow > file=/etc/loginusers onerr=failWe bypass auth modules for public key authentication. If you can get the listfile module to run as an 'account' or 'session' module it should work. Alternately you could use OpenSSH's builtin Allow/DenyUser functionality. -d