19 comment

  1. This works great on local users it seems, but its not having any effect on ldap users, or groups, what would you suggest as a way to control their access?

  2. Hi,
    If you want block all ssh access (via login/password) AND vi authorized_keys, you shoud use ‘account required pam_listfile.so item=user sense=allow file=/etc/ssh/sshd.allow onerr=succeed’

    because ‘auth xxx’ line seems not checked if sshd use public keys authentification.

    Bst Regard

  3. It is working fine for ssh and scp.
    Now I wants to block only the ssh login session. and I required the scp file transfer
    anybody have an Idea

  4. In my experience, the line:
    auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

    must be prepended (i.e., placed as the first line) in the file, not appended as this article states.

  5. my config:
    auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshd/user-sshd onerr=fail

    user in user-sshd:

    now root can’t remote the vps 🙁
    if i login as root using putty, the console window (putty) closed immedietly when root loged to vps 🙁
    how to solve my problem??? plis help me

  6. As stated above it is key to prepend the line to allow it to be executed by pam. There is also no need at all to restart sshd.

  7. It’s not working on openldap authentication with white list on /etc/ssh/ssh.allow.

    Dec 14 18:47:11 PDCSERVER slapd[21346]: conn=64795871 op=1 SRCH base=”ou=Users,dc=kama,dc=in” scope=1 deref=0 filter=”(&(objectClass=shadowAccount)(uid=rana.taba))”

    Dec 14 18:47:11 showa9 sshd[22655]: error: PAM: Authentication failure for rana.taba from

  8. I have a question regarding difference between using onerr=fail and onerr=succeed. Does it mean that if I have onerr=succeed and in case something unexpected happens with PAM module, it will allow user login to continue? If this is true then this is big security risk, but on the other hand big risk is also having onerr=fail which will lock the system completely in case something unexpected happens.

  9. Please be aware that this only works if PAM is processed. If you’re using SSH keys, PAM _auth_ will be skipped entirely, thus allowing anyone with a key in to the system. You would need to limit it in the account or session areas instead, or sshd itself.

  10. Thank you for sharing your info. I truly appreciate your efforts and I am waiting for your further write ups thanks once again.

  11. Issue here is /etc/security/limits.conf and the ‘maxlogins’ parameter. It works fine for unprivileged users, but I also want it to apply to root logins, whether they are from the console or SSH. My limits.conf has:

    root – maxlogins 2

    but it does not work.

    # man limits.conf

    maximum number of logins for this user except for this with uid=0


    # man pam_limits

    Users of uid=0 are affected by this [sic] limits, too.

    Josh, I was hoping your pointer re: SSH keys would do the trick — I moved /root/.ssh/authorized_keys to authorized_keys.bak, and password prompts came back … but root can still login via SSH infinitely.


  12. Nice post. I learn something new and challenging on websites I stumbleupon on a daily basis. It’s always interesting to read articles from other authors and use a little something from their web sites.

  13. Hi All ,

    I wanted to disable UsePAM no in ssh configuration file at user level so could you please help to achieve the same .

Leave a Comment