openssh ignores locked account using public key authentication
Michael Halcrow
mike at halcrow.us
Wed Oct 5 12:12:50 MDT 2005
On Wed, Oct 05, 2005 at 10:20:13AM -0600, Erik R. Jensen wrote:
> > On 10/4/05, Lonnie Olson <fungus at aros.net> wrote:
> >> public key authentication uses PAM to do no more than look up the
> >> home directory of the user. It actually might not use PAM at all and
> >> just access the file directly. Locking an account has no effect on
> >> this form of auth.
>
> From what I have gathered, if UsePAM is set to yes in the
> sshd_config file, and public key authentication is used, callbacks
> will be made only to pam_sm_acct_mgmt and pam_sm_open_session, not
> pam_sm_authenticate. So only modules of the type session and account
> will be called in the pam.d/sshd config.
One solution is to add pam_listfile to the stack for the apps that
provide access to your machine (under each applicable context) and add
usernames to the listfile that is specified as a parameter to the
module.
http://uw714doc.sco.com/en/SEC_pam/pam-6.html#ss6.13
Mike
.___________________________________________________________________.
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
"Given the choice between dancing pigs and security, users will pick
dancing pigs every time."
- Ed Felten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20051005/a0df44a4/attachment.bin
More information about the PLUG
mailing list