openssh ignores locked account using public key authentication
Lonnie Olson
fungus at aros.net
Tue Oct 4 13:31:13 MDT 2005
On Oct 3, 2005, at 1:40 PM, Erik R. Jensen wrote:
> It appears that when using public key authentication with openssh, the
> locked status of an account is ignored. This means I can issue "passwd
> -l", and if the user had setup ssh keys for authentication, they
> can still
> login. I know there are other ways to further lock an account which
> I have
> been doing, but I really just want openssh to respect the "!" that
> gets
> placed in the shadow file when a "passwd -l" is issued. Is there a
> change
> I can make in /etc/pam.d/sshd to force this check to happen or
> something I
> am just overlooking?
SSH will authenticate using a number of different methods. pubkey,
keyboard-interactive, and password.
public key authentication uses PAM to do no more than look up the
home directory of the user. It actually might not use PAM at all and
just access the file directly. Locking an account has no effect on
this form of auth.
keyboard-interactive (aka ChallengeRepsonse) will check for s/key
passwords, or UsePAM to perform authentication. Locking an account
will not disable the s/key alternative here IIRC.
password authentication will tunnel clear text passwords over the ssh
connection. Locking an account will disable this option.
The only sure way to lock an account from any SSH access is to remove
the entry from the passwd file altogether. If you don't use some
other form of user account management, you could just move their
passwd entry to a file called passwd.locked. This would prevent
*any* access by that user.
--lonnie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2482 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20051004/102f8883/attachment.bin
More information about the PLUG
mailing list