openssh unix dev - Feb 2002 - Problem with using both pam_listfile to deny logins and pubkey authentication

Hi,

I'm trying to use pam_listfile.so to deny logins from all others but few 
users (names in /etc/loginusers). With password authentication it works 
fine, but with public key authentication OpenSSH lets in users whose 
names arent't in /etc/loginusers. AllowUsers in sshd_config does what 
one would expect.

I'm using OpenSSH-3.0.2p1 on Debian testing (package version 
1:3.0.2p1-6) and tried this also on stable (OpenSSH package version 
1:3.0.1p1-0 from unstable); the situation is same there.

Has anyone else noticed this or is it Debian's or my own problem?

/etc/pam.d/ssh:
---
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=allow 
file=/etc/loginusers onerr=fail
auth       required     pam_nologin.so
auth       required     pam_unix.so
auth       required     pam_env.so # [1]


account    required     pam_unix.so

session    required     pam_unix.so
session    optional     pam_lastlog.so # [1]
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password   required     pam_unix.so
---

-- 
Sakari Ailus
sakari.ailus at luukku.com

>I'm trying to use pam_listfile.so to deny logins from all others but few
>users (names in /etc/loginusers). With password authentication it works 
>fine, but with public key authentication OpenSSH lets in users whose 
>names arent't in /etc/loginusers. AllowUsers in sshd_config does what 
>one would expect.
This is NOT a problem with OpenSSH it does all the correct PAM calls.

The problem is your PAM module.  You have it listed against auth which
makes me belive it is implmenting pam_authenticate.  This is NOT an
auth action it is an account mangement action.

I have a very similar module that I wrote but it does it correctly
as a pam_sm_acct_mgmt() implementation not a pam_sm_authenticate().
>Has anyone else noticed this or is it Debian's or my own problem?
Who ever wrote the pam_listfile module, they didn't fully understand
what they were writting.

Authentication in PAM is about proving to the system who you are.
Account Management is about the system deciding if the already authenticated
user (either via PAM or external means in the case of ssh with public keys
or cron) is allowed into this machine at this time.

You have my permission to forward this message to the author of the
pam_listfile module.

--
Darren J Moffat

On Wed, 13 Feb 2002, Sakari Ailus wrote:
> Hi,
> 
> I'm trying to use pam_listfile.so to deny logins from all others but
few
> users (names in /etc/loginusers). With password authentication it works 
> fine, but with public key authentication OpenSSH lets in users whose 
> names arent't in /etc/loginusers. AllowUsers in sshd_config does what 
> one would expect.
> auth       required     pam_listfile.so item=user sense=allow 
> file=/etc/loginusers onerr=fail
We bypass auth modules for public key authentication. If you can get the
listfile module to run as an 'account' or 'session' module it
should
work.

Alternately you could use OpenSSH's builtin Allow/DenyUser functionality.

-d