openssh ignores locked account using public key authentication

Michael Halcrow mike at halcrow.us
Wed Oct 5 12:12:50 MDT 2005


On Wed, Oct 05, 2005 at 10:20:13AM -0600, Erik R. Jensen wrote:
> > On 10/4/05, Lonnie Olson <fungus at aros.net> wrote:
> >> public key authentication uses PAM to do no more than look up the
> >> home directory of the user.  It actually might not use PAM at all and
> >> just access the file directly.  Locking an account has no effect on
> >> this form of auth.
> 
> From what I have gathered, if UsePAM is set to yes in the
> sshd_config file, and public key authentication is used, callbacks
> will be made only to pam_sm_acct_mgmt and pam_sm_open_session, not
> pam_sm_authenticate. So only modules of the type session and account
> will be called in the pam.d/sshd config.

One solution is to add pam_listfile to the stack for the apps that
provide access to your machine (under each applicable context) and add
usernames to the listfile that is specified as a parameter to the
module.

http://uw714doc.sco.com/en/SEC_pam/pam-6.html#ss6.13

Mike
.___________________________________________________________________.
                         Michael A. Halcrow                          
       Security Software Engineer, IBM Linux Technology Center       
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C  20F5 DB40 8531 6DCA 8769

"Given the choice between dancing pigs and security, users will pick 
dancing pigs every time."                                            
 - Ed Felten 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20051005/a0df44a4/attachment.bin 


More information about the PLUG mailing list