On 7/21/12 3:39 PM, Florian Bilek wrote: > 2.) In principle the login via SSH is working very good. I encountered > recently a kind of weakness in the configuration: A RACF user that uses its > own RSA keys to log into the system. When I do a RACF revoke on that user, > it seems that the LDAP check not takes place and the user can still login. > What can be done about that?
Ssh apparently bypasses the pam "auth" step if it has a ssh key match. Perhaps experiment by adding a pam "account" or pam "session" step which refers to pam_ldap? I'm unclear if the pam_ldap module supports these steps, though, the documentation is unclear. One other useful pam module which may apply here is "pam_access". Pam_access does explicitly support the "account" and "session" module types, and it's quite flexible. You might be able to craft an e.g. "denied_users" group which would deny access to any member of that group. One final thought, I seem to recall there's patches flying around which allow ssh public keys to be stored in LDAP. Perhaps investigate this idea. If pubkeys could only be in a user's LDAP entry, then as part of a revoke process, these keys could be removed. Google "ssh public key ldap" Hope that helps, -- Pat ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
