On Mon, Jul 23, 2012 at 10:25:34AM +0100, Malcolm Beattie wrote: > There's a section of the sshd(8) man page beginning: > Regardless of the authentication type, the account is checked > to ensure that it is accessible. An account is not accessible > if it is locked, listed in DenyUsers or its group is listed in > DenyGroups. The definition of a locked account is system > dependant. Some platforms... > > and which then (as I try to ignore the misspelling of dependent) > gives O/S-specific ways that it checks for locked accounts, > usually by special contents of a directly-accessed shadow > password field such as "*LK", "Nologin", "!". From that, I'd guess > that sshd may not invoke PAM in a way that would let you use > pam_ldap to do the appropriate lookup via LDAP.
It should be sufficient to setup NSS to list the locked password in "getent shadow" (as root). Normally you have libnss-ldap(d) in addition to libpam-ldap(d). Kind regards Philipp Kern ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
