openssh ignores locked account using public key authentication
Erik R. Jensen
erikrj at netradius.com
Sat Oct 8 12:11:43 MDT 2005
> Just curious but does this apply only to users who were allowed SSH in
> the first place or to everyone?
The PAM module applies to all users and whatever process you configure it
for. So, if you add the module to /etc/pam.d/sshd as suggested in the
README, it will be used to keep out any user with a locked shadow password
whether they are using password or public/private key authentication. It
is meant to work with the other modules that already exist such as
pam_unix.so to protect your system since it doesn't perform any of the
other callback functions except for pam_sm_acct_mgmt. It doesn't mean you
can't use it in another pam configuration file for another service. The
module is OpenSSH agnostic.
> I ask this because my server logs have showed a large number of
> connects/rejects for people with usernames eerily similar to
> daemon/process names, such as apache,nobody,admin,user etc.
The short of it is, unless you've setup public/private key pairs for these
users (bad idea) for use with OpenSSH, the pam_unix.so module is already
keeping these login attempts out assumming they have not been assigned a
password or a weak password which is usually the case.
> I would be a little spooked to remove a system process completely from
> the system if this were the case.
By default these accounts cannot be logged into. Unless you gave them
passwords, I wouldn't worry about it. You can verify by looking at your
/etc/shadow file. They should have a '*' or a '!' in the password field.
Erik R. Jensen
More information about the PLUG