1 nick June 5, 2007 at 4:34 pm

This works great on local users it seems, but its not having any effect on ldap users, or groups, what would you suggest as a way to control their access?

2 nixCraft June 5, 2007 at 6:04 pm

It should work, you need to play with pam modules. Pam is designed for this kind of work only.

3 Gerald August 28, 2009 at 10:32 am

If you want block all ssh access (via login/password) AND vi authorized_keys, you shoud use ‘account required pam_listfile.so item=user sense=allow file=/etc/ssh/sshd.allow onerr=succeed’

because ‘auth xxx’ line seems not checked if sshd use public keys authentification.

Bst Regard

4 Bhagesh September 2, 2009 at 11:52 am

It is working fine for ssh and scp.
Now I wants to block only the ssh login session. and I required the scp file transfer
anybody have an Idea

5 Chuck Hale December 22, 2009 at 11:34 am

Article solved my problem!

6 Kevin December 30, 2009 at 11:21 pm

In my experience, the line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

must be prepended (i.e., placed as the first line) in the file, not appended as this article states.

7 vimbyseno March 16, 2010 at 2:37 pm

my config:
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshd/user-sshd onerr=fail

user in user-sshd:

now root can’t remote the vps :(
if i login as root using putty, the console window (putty) closed immedietly when root loged to vps :(
how to solve my problem??? plis help me

8 Rajesh March 29, 2010 at 6:58 pm

boot from a rescue cd and edit the files.

9 Gerrard Geldenhuis May 13, 2010 at 12:07 pm

As stated above it is key to prepend the line to allow it to be executed by pam. There is also no need at all to restart sshd.

10 suzuki October 2, 2010 at 7:20 am


it doesn’t work for my system. why?

11 mark December 14, 2011 at 12:12 pm

It’s not working on openldap authentication with white list on /etc/ssh/ssh.allow.

Dec 14 18:47:11 PDCSERVER slapd[21346]: conn=64795871 op=1 SRCH base=”ou=Users,dc=kama,dc=in” scope=1 deref=0 filter=”(&(objectClass=shadowAccount)(uid=rana.taba))”

Dec 14 18:47:11 showa9 sshd[22655]: error: PAM: Authentication failure for rana.taba from

12 dave November 22, 2012 at 2:07 pm

I have a question regarding difference between using onerr=fail and onerr=succeed. Does it mean that if I have onerr=succeed and in case something unexpected happens with PAM module, it will allow user login to continue? If this is true then this is big security risk, but on the other hand big risk is also having onerr=fail which will lock the system completely in case something unexpected happens.

13 Josh May 29, 2013 at 12:53 pm

Please be aware that this only works if PAM is processed. If you’re using SSH keys, PAM _auth_ will be skipped entirely, thus allowing anyone with a key in to the system. You would need to limit it in the account or session areas instead, or sshd itself.

Comments on this FAQ are closed. If you'd like to continue the discussion on this topic, you can do so at our forum.

Tagged as: , , , , , ,

Previous post:

Next post: