openssh ignores locked account using public key authentication

Erik R. Jensen erikrj at netradius.com
Wed Oct 5 13:15:46 MDT 2005


> One solution is to add pam_listfile to the stack for the apps that
> provide access to your machine (under each applicable context) and add
> usernames to the listfile that is specified as a parameter to the
> module.
>
> http://uw714doc.sco.com/en/SEC_pam/pam-6.html#ss6.13

This is true, but it would essentially be the same thing as manually
editing the Allow* and Deny* entries in sshd_config. It still takes an
extra step to make it happen. Perhaps I am just picky in that I think it
should not take any extra effort to lock an account other than issuing a
"passwd -l". It's definitely something AIX got right (chuser
account_locked=true erjensen), even if everything else is in that OS is a
pita.

OT: I appreciate everyone's info. I think discussions like this should
happen more often on the PLUG.

-- 
Erik R. Jensen




More information about the PLUG mailing list