GNUtoo@no-log.org wrote:
> Hello,
> I'd like to use only PAM(for requiring additional restrictions) for
> OpenSSH authentications and I'd like to have:
> *key authentications
> *s/key like authentications but more secure(because I was told that the
> randomness of the s/key passwords is not secure nowadays)
> (and additional things such as anti-brute-force system for PAM and logins
> restrictions based on the time/date)
>
> but I haven't been successful so far...
> I first wanted to forbid others account than the ones listed in
> /etc/ssh/sshd.allow: I've done the following
> in /etc/ssh/sshd_config I've used PAM:
> UsePAM yes
> normal passwords were disabled,key enabled and s/key disabled
> and I added:
> auth required pam_listfile.so item=user sense=allow

[...]
> but it didn't work...account not listed in the file could still login via SSH


.... using public-key authentication:

> debug1: matching key found: file /home/xxx/.ssh/authorized_keys, line 1


SSH's public-key authentication does not use the PAM auth stack (it
can't) but it does use the account stack for all auth types. Add your
pam_listfile to the account stack and it should do what you want.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.