openssh ignores locked account using public key authentication
Erik R. Jensen
erikrj at netradius.com
Wed Oct 5 10:20:13 MDT 2005
> On 10/4/05, Lonnie Olson <fungus at aros.net> wrote:
>> public key authentication uses PAM to do no more than look up the
>> home directory of the user. It actually might not use PAM at all and
>> just access the file directly. Locking an account has no effect on
>> this form of auth.
>From what I have gathered, if UsePAM is set to yes in the sshd_config
file, and public key authentication is used, callbacks will be made only
to pam_sm_acct_mgmt and pam_sm_open_session, not pam_sm_authenticate. So
only modules of the type session and account will be called in the
The problem, I believe, stems from the fact that none of the modules
listed for account and session types check for a locked password in
/etc/shadow. The pam_unix module which does the checking, checks in it's
_unix_verify_password function in unix_chkpwd.c (line 360). This is not
called for the pam_sm_acct_mgmt or pam_sm_open_session functions in that
module since there is no password to verify.
So, if I want to only have to run one command "passwd -l" to truly lock
any account and not deal with setting shells to false or managing some
kind of access list, I will either have to modify the pam_unix module, or
code my own to perform verification on the shadow file during
pam_sm_acct_mgmt or pam_sm_open_session. I believe something similar to
this may be what happens on Solaris and AIX, but need to verify.
Anyone agree or disagree with this?
> Locking an account can actually effect publickey authentication as
> long as UsePAM is set to yes in the sshd_config and the linux PAM
> function pam_acct_mgmt() is working as it should be (as the Solaris
> PAM function does). In this scenario sshd will authenticate the user
> with publickey and will then call the pam_acct_mgmt and
> pam_open_session functions that should fail based on the locked
> account (this is how it works on Solaris). If UsePAM is set to no
> these functions wouldn't be called and a locked account would be
> allowed by publickey.
This is not the case. I have had UsePAM enabled as well as the previous
settings you mentioned (trimmed from this email) and the problem still
persists. I again believe that there just needs to be some kind of check
in a required module when the pam_acct_mgmt function is called.
> The best thing anyone can do for SSH security is disable every
> non-essential and duplicate authentication method. A typical
> configuration I'll use is (auth section only):
I totally agree, but it does not appear to fix this issue related to
public key authentication in regards to locked accounts.
Erik R. Jensen
More information about the PLUG