openssh ignores locked account using public key authentication
Nicholas Leippe
nick at byu.edu
Mon Oct 3 13:51:44 MDT 2005
On Monday 03 October 2005 01:40 pm, Erik R. Jensen wrote:
> It appears that when using public key authentication with openssh, the
> locked status of an account is ignored. This means I can issue "passwd
> -l", and if the user had setup ssh keys for authentication, they can still
> login. I know there are other ways to further lock an account which I have
> been doing, but I really just want openssh to respect the "!" that gets
> placed in the shadow file when a "passwd -l" is issued. Is there a change
> I can make in /etc/pam.d/sshd to force this check to happen or something I
> am just overlooking?
>
> I don't have this problem on the AIX and Solaris machines I manage, just
> the Linux boxen. I have done a little digging, but nothing in depth and
> thought I would post to the list to see if it can save me some time.
> Thanks.
If ssh is merely execing a shell, then:
echo "logout" >> /home/$USER/.bash_profile
would probably do the trick. But, sftp may then still provide a hole around
it.
--
Respectfully,
Nicholas Leippe
Sales Team Automation, LLC
1335 West 1650 North, Suite C
Springville, UT 84663 +1 801.853.4090
http://www.salesteamautomation.com
More information about the PLUG
mailing list