openssh ignores locked account using public key authentication

Lonnie Olson fungus at aros.net
Tue Oct 4 13:31:13 MDT 2005


On Oct 3, 2005, at 1:40 PM, Erik R. Jensen wrote:
> It appears that when using public key authentication with openssh, the
> locked status of an account is ignored. This means I can issue "passwd
> -l", and if the user had setup ssh keys for authentication, they  
> can still
> login. I know there are other ways to further lock an account which  
> I have
> been doing, but I really just want openssh to respect the "!" that  
> gets
> placed in the shadow file when a "passwd -l" is issued. Is there a  
> change
> I can make in /etc/pam.d/sshd to force this check to happen or  
> something I
> am just overlooking?

SSH will authenticate using a number of different methods.  pubkey,  
keyboard-interactive, and password.

public key authentication uses PAM to do no more than look up the  
home directory of the user.  It actually might not use PAM at all and  
just access the file directly.  Locking an account has no effect on  
this form of auth.

keyboard-interactive (aka ChallengeRepsonse) will check for s/key  
passwords, or UsePAM to perform authentication.  Locking an account  
will not disable the s/key alternative here IIRC.

password authentication will tunnel clear text passwords over the ssh  
connection.  Locking an account will disable this option.

The only sure way to lock an account from any SSH access is to remove  
the entry from the passwd file altogether.  If you don't use some  
other form of user account management, you could just move their  
passwd entry to a file called passwd.locked.  This would prevent  
*any* access by that user.

--lonnie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2482 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20051004/102f8883/attachment.bin 


More information about the PLUG mailing list