openssh ignores locked account using public key authentication

Corey Edwards tensai at zmonkey.org
Tue Oct 4 13:45:56 MDT 2005


On Tue, 2005-10-04 at 13:31 -0600, Lonnie Olson wrote:
> The only sure way to lock an account from any SSH access is to remove  
> the entry from the passwd file altogether.  If you don't use some  
> other form of user account management, you could just move their  
> passwd entry to a file called passwd.locked.  This would prevent  
> *any* access by that user.

The problem there is that now their UID is gone so files owned by that
user won't show an owner, just a number. And you have the possibility of
re-using that UID.

This is something I've had on my TODO list for a while. We use LDAP for
our user accounts and I'm still trying to figure out for sure if the
accounts I've locked out are really locked out. I'm hoping to get some
time this week to investigate further. If that happens (a big IF), I'll
post a follow up.

Corey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20051004/759613d6/attachment.bin 


More information about the PLUG mailing list