openssh ignores locked account using public key authentication

Dreamer smorrey at gmail.com
Sat Oct 8 01:47:50 MDT 2005


Just curious but does this apply only to users who were allowed SSH in
the first place or to everyone?

I ask this because my server logs have showed a large number of
connects/rejects for people with usernames eerily similar to
daemon/process names, such as apache,nobody,admin,user etc.

I would be a little spooked to remove a system process completely from
the system if this were the case.

On 10/8/05, Erik R. Jensen <erikrj at netradius.com> wrote:
>
> > Looks like you're right.  For some strange reason Linux PAM doesn't
> > bother checking for account status in pam_acct_mgmt() where Solaris
> > PAM does, for exactly this sort of reason.  I wonder if there is a
> > patch to Linux PAM's pam_unix.so to make it work correctly for session
> > and account managment.
>
> I got a little bored tonight watching TV and sitting on IRC so I wrote a
> little PAM module to fix the problem. It will check for locked shadow
> passwords during the pam_sm_acct_mgmt callback preventing locked users
> from obtaining a login even if they are using public/private key
> authentication. I've placed it at the following url with some instructions
> in case anyone is interested.
>
> http://users.netradius.com/~erikrj/pam_shadow_locked.tbz2
> http://users.netradius.com/~erikrj/pam_shadow_locked/
>
> --
> Erik R. Jensen
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list