On 30/11/06, Morten Kjeldgaard mok@bioxray.dk wrote:
Big thanks to Barry Brimer and Will McDonald for your suggestions!
No problem.
I had big hopes for the "UsePAM yes" in sshd_config since I was not aware of that option, and it seemed like THE solution. However, tried it, restarted the sshd daemon but still the same, I can still log on. Totally strange.
I've just had a play on a test system and I seem to have it working.
[root@server ~]# grep -v ^# /etc/ssh/sshd_config
Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key SyslogFacility AUTHPRIV PermitRootLogin without-password StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PasswordAuthentication no UsePAM yes LogLevel DEBUG X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server
[root@server ~]# grep -v ^# /etc/security/access.conf
[root@server ~]# grep -v ^# /etc/pam.d/system-auth auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/pam_access.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
So that's nothing in access.conf, all I've added in system-auth is "account required /lib/security/pam_access.so" as in your example, though that was a default setup which has more that yours appears to.
The sshd_config is tailored by my Kickstart and from that I've added
UsePAM yes LogLevel DEBUG
You don't want to run with LogLevel DEBUG under normal circumstances.
Note, the man page states you need either PasswordAuthentication or ChallengeResponseAuthentication disabled, too.
[user@client ~]$ ssh -ltestuser 192.168.24.112 Password: Last login: Thu Nov 30 14:11:58 2006 from client [testuser@server ~]$ exit Connection to 192.168.24.112 closed.
That's me authed and connected, which that SSH configuration typically wouldn't have allowed without PAM enabled since its keys-only.
Now add an entry into access.conf.
[root@server ~]# grep -v ^# /etc/security/access.conf -:testuser:ALL
[user@client ~]$ ssh -ltestuser 192.168.24.112 Password: Password: Password: Permission denied (publickey,keyboard-interactive).