> GNUtoo@xxxxxxxxxx wrote: >> Hello, >> I'd like to use only PAM(for requiring additional restrictions) for >> OpenSSH authentications and I'd like to have: >> *key authentications >> *s/key like authentications but more secure(because I was told that the >> randomness of the s/key passwords is not secure nowadays) >> (and additional things such as anti-brute-force system for PAM and >> logins >> restrictions based on the time/date) >> >> but I haven't been successful so far... >> I first wanted to forbid others account than the ones listed in >> /etc/ssh/sshd.allow: I've done the following >> in /etc/ssh/sshd_config I've used PAM: >> UsePAM yes >> normal passwords were disabled,key enabled and s/key disabled >> and I added: >> auth required pam_listfile.so item=user sense=allow > [...] >> but it didn't work...account not listed in the file could still login >> via SSH > > ... using public-key authentication: > >> debug1: matching key found: file /home/xxx/.ssh/authorized_keys, line 1 > > SSH's public-key authentication does not use the PAM auth stack (it > can't) but it does use the account stack for all auth types. Add your > pam_listfile to the account stack and it should do what you want. thanks a lot!!! it works