openssh ignores locked account using public key authentication
Erik R. Jensen
erikrj at netradius.com
Sat Oct 8 01:46:46 MDT 2005
> Looks like you're right. For some strange reason Linux PAM doesn't
> bother checking for account status in pam_acct_mgmt() where Solaris
> PAM does, for exactly this sort of reason. I wonder if there is a
> patch to Linux PAM's pam_unix.so to make it work correctly for session
> and account managment.
I got a little bored tonight watching TV and sitting on IRC so I wrote a
little PAM module to fix the problem. It will check for locked shadow
passwords during the pam_sm_acct_mgmt callback preventing locked users
from obtaining a login even if they are using public/private key
authentication. I've placed it at the following url with some instructions
in case anyone is interested.
http://users.netradius.com/~erikrj/pam_shadow_locked.tbz2
http://users.netradius.com/~erikrj/pam_shadow_locked/
--
Erik R. Jensen
More information about the PLUG
mailing list