Florian Bilek writes:
> 2.) In principle the login via SSH is working very good. I encountered
> recently a kind of weakness in the configuration: A RACF user that uses its
> own RSA keys to log into the system. When I do a RACF revoke on that user,
> it seems that the LDAP check not takes place and the user can still login.
> What can be done about that?
There's a section of the sshd(8) man page beginning:
Regardless of the authentication type, the account is checked
to ensure that it is accessible. An account is not accessible
if it is locked, listed in DenyUsers or its group is listed in
DenyGroups. The definition of a locked account is system
dependant. Some platforms...
and which then (as I try to ignore the misspelling of dependent)
gives O/S-specific ways that it checks for locked accounts,
usually by special contents of a directly-accessed shadow
password field such as "*LK", "Nologin", "!". From that, I'd guess
that sshd may not invoke PAM in a way that would let you use
pam_ldap to do the appropriate lookup via LDAP.
What about, as a workaround, creating a RACF group named NOLOGIN,
connecting revoked users to that group (an extra step, but that's
why I called it a workaround not a proper solution) and then
putting "DenyGroups nologin" in your sshd_config? If z/VM LDAP
doesn't special case group membership lookups for revoked users
then I think that may work.
--Malcolm
--
Malcolm Beattie
Mainframe Systems and Software Business, Europe
IBM UK
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
