openssh ignores locked account using public key authentication

Erik R. Jensen erikrj at netradius.com
Sat Oct 8 01:46:46 MDT 2005


> Looks like you're right.  For some strange reason Linux PAM doesn't
> bother checking for account status in pam_acct_mgmt() where Solaris
> PAM does, for exactly this sort of reason.  I wonder if there is a
> patch to Linux PAM's pam_unix.so to make it work correctly for session
> and account managment.

I got a little bored tonight watching TV and sitting on IRC so I wrote a
little PAM module to fix the problem. It will check for locked shadow
passwords during the pam_sm_acct_mgmt callback preventing locked users
from obtaining a login even if they are using public/private key
authentication. I've placed it at the following url with some instructions
in case anyone is interested.

http://users.netradius.com/~erikrj/pam_shadow_locked.tbz2
http://users.netradius.com/~erikrj/pam_shadow_locked/

-- 
Erik R. Jensen




More information about the PLUG mailing list