openssh ignores locked account using public key authentication
smorrey at gmail.com
Sat Oct 8 01:47:50 MDT 2005
Just curious but does this apply only to users who were allowed SSH in
the first place or to everyone?
I ask this because my server logs have showed a large number of
connects/rejects for people with usernames eerily similar to
daemon/process names, such as apache,nobody,admin,user etc.
I would be a little spooked to remove a system process completely from
the system if this were the case.
On 10/8/05, Erik R. Jensen <erikrj at netradius.com> wrote:
> > Looks like you're right. For some strange reason Linux PAM doesn't
> > bother checking for account status in pam_acct_mgmt() where Solaris
> > PAM does, for exactly this sort of reason. I wonder if there is a
> > patch to Linux PAM's pam_unix.so to make it work correctly for session
> > and account managment.
> I got a little bored tonight watching TV and sitting on IRC so I wrote a
> little PAM module to fix the problem. It will check for locked shadow
> passwords during the pam_sm_acct_mgmt callback preventing locked users
> from obtaining a login even if they are using public/private key
> authentication. I've placed it at the following url with some instructions
> in case anyone is interested.
> Erik R. Jensen
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG