ssh will still use pam_acct_mgmt() and pam_open_session() even when doing private key authentication (not PAM), but it must be linked to libpam.so and "UsePAM yes" must be set in the sshd_config file. Without PAM support in sshd, after the key has been validated sshd will not check anything other than a simple getpwnam() for a valid shell, homedir , uid and gid before opening a session for the user.
It's also possible that pam_acct_mgmt() and pam_open_session() aren't checking for locked shadow passwords on Linux but I don't believe this is the case. On 10/3/05, Erik R. Jensen <[EMAIL PROTECTED]> wrote: > It appears that when using public key authentication with openssh, the > locked status of an account is ignored. This means I can issue "passwd > -l", and if the user had setup ssh keys for authentication, they can still > login. I know there are other ways to further lock an account which I have > been doing, but I really just want openssh to respect the "!" that gets > placed in the shadow file when a "passwd -l" is issued. Is there a change > I can make in /etc/pam.d/sshd to force this check to happen or something I > am just overlooking? > > I don't have this problem on the AIX and Solaris machines I manage, just > the Linux boxen. I have done a little digging, but nothing in depth and > thought I would post to the list to see if it can save me some time. > Thanks. > > -- > Erik R. Jensen > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
