On Oct 3, 2005, at 1:40 PM, Erik R. Jensen wrote:
It appears that when using public key authentication with openssh, the locked status of an account is ignored. This means I can issue "passwd-l", and if the user had setup ssh keys for authentication, they can still login. I know there are other ways to further lock an account which I have been doing, but I really just want openssh to respect the "!" that gets placed in the shadow file when a "passwd -l" is issued. Is there a change I can make in /etc/pam.d/sshd to force this check to happen or something Iam just overlooking?
SSH will authenticate using a number of different methods. pubkey, keyboard-interactive, and password.
public key authentication uses PAM to do no more than look up the home directory of the user. It actually might not use PAM at all and just access the file directly. Locking an account has no effect on this form of auth.
keyboard-interactive (aka ChallengeRepsonse) will check for s/key passwords, or UsePAM to perform authentication. Locking an account will not disable the s/key alternative here IIRC.
password authentication will tunnel clear text passwords over the ssh connection. Locking an account will disable this option.
The only sure way to lock an account from any SSH access is to remove the entry from the passwd file altogether. If you don't use some other form of user account management, you could just move their passwd entry to a file called passwd.locked. This would prevent *any* access by that user.
--lonnie
smime.p7s
Description: S/MIME cryptographic signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
