On 10/4/05, Lonnie Olson <[EMAIL PROTECTED]> wrote: > SSH will authenticate using a number of different methods. pubkey, > keyboard-interactive, and password. > > public key authentication uses PAM to do no more than look up the > home directory of the user. It actually might not use PAM at all and > just access the file directly. Locking an account has no effect on > this form of auth.
Locking an account can actually effect publickey authentication as long as UsePAM is set to yes in the sshd_config and the linux PAM function pam_acct_mgmt() is working as it should be (as the Solaris PAM function does). In this scenario sshd will authenticate the user with publickey and will then call the pam_acct_mgmt and pam_open_session functions that should fail based on the locked account (this is how it works on Solaris). If UsePAM is set to no these functions wouldn't be called and a locked account would be allowed by publickey. The best thing anyone can do for SSH security is disable every non-essential and duplicate authentication method. A typical configuration I'll use is (auth section only): # I don't leave things that might matter commented because the compiled defaults might # not be what we expect. RSAAuthentication no PubkeyAuthentication yes HostbasedAuthenticaiton no # Just because PasswordAuthentication is set to no doesn't mean users can't authenticate # by way of passwords, this is being done by PAM. Why would we want two methods # doing the same thing. Just let PAM do it and do it right/better. PasswordAuthentication no # Challenge response means exactly that. This is dialog driven authentication. If # something in PAM wants something other than a static "passwd:" this will allow PAM # to ask for it. For example: "Enter user's new password:" "enter token:" ChallengeResponseAuthentiation yes # Kerberos is cool, but in SSH, GSSAPI is cooler KerberosAuthentication no KerberosOrLocalPasswd no GSSAPIAuthentication yes # And of course, our good friend PAM. UsePAM yes /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
