> GNUtoo@no-log.org wrote:
>> Hello,
>> I'd like to use only PAM(for requiring additional restrictions) for
>> OpenSSH authentications and I'd like to have:
>> *key authentications
>> *s/key like authentications but more secure(because I was told that the
>> randomness of the s/key passwords is not secure nowadays)
>> (and additional things such as anti-brute-force system for PAM and
>> logins
>> restrictions based on the time/date)
>>
>> but I haven't been successful so far...
>> I first wanted to forbid others account than the ones listed in
>> /etc/ssh/sshd.allow: I've done the following
>> in /etc/ssh/sshd_config I've used PAM:
>> UsePAM yes
>> normal passwords were disabled,key enabled and s/key disabled
>> and I added:
>> auth required pam_listfile.so item=user sense=allow

> [...]
>> but it didn't work...account not listed in the file could still login
>> via SSH

>
> ... using public-key authentication:
>
>> debug1: matching key found: file /home/xxx/.ssh/authorized_keys, line 1

>
> SSH's public-key authentication does not use the PAM auth stack (it
> can't) but it does use the account stack for all auth types. Add your
> pam_listfile to the account stack and it should do what you want.

thanks a lot!!! it works