On 07/22/2010 02:33 AM, Gerrard Geldenhuis wrote: > > It is unfortunate. It would be nice if you could do a logical AND in > PAM to utilize two sources of authentication. My understanding was > that PAM is the bastion for all authentication and that nothing > happens without its say so. Just to be clear, my comment about PAM support being imperfect was directed at OpenSSH only. PAM is a very nice system, and you can certainly do a logical "and" in its configuration by marking multiple services "required". The problem in this case is that OpenSSH does some of its authentication outside of PAM, so it isn't possible to lock a user out with PAM unless you turn off the parts of OpenSSH that may also authenticate users. That is, you'd have to disable key logins entirely. Unless I'm wrong. I could be. It may simply be that pam_ldap isn't using pam_filter in the "account" stack, where it would be useful in this case. If that were true, we'd need to fix pam_ldap. I wonder if SSS behaves the same way?
