Problem with using both pam_listfile to deny logins and pubkey authentication

[Darren Moffat]

>I'm trying to use pam_listfile.so to deny logins from all others but few 
>users (names in /etc/loginusers). With password authentication it works 
>fine, but with public key authentication OpenSSH lets in users whose 
>names arent't in /etc/loginusers. AllowUsers in sshd_config does what 
>one would expect.

This is NOT a problem with OpenSSH it does all the correct PAM calls.

The problem is your PAM module.  You have it listed against auth which
makes me belive it is implmenting pam_authenticate.  This is NOT an
auth action it is an account mangement action.

I have a very similar module that I wrote but it does it correctly
as a pam_sm_acct_mgmt() implementation not a pam_sm_authenticate().

>Has anyone else noticed this or is it Debian's or my own problem?

Who ever wrote the pam_listfile module, they didn't fully understand
what they were writting.

Authentication in PAM is about proving to the system who you are.
Account Management is about the system deciding if the already authenticated
user (either via PAM or external means in the case of ssh with public keys
or cron) is allowed into this machine at this time.

You have my permission to forward this message to the author of the
pam_listfile module.

--
Darren J Moffat