> On 10/4/05, Lonnie Olson <[EMAIL PROTECTED]> wrote: >> public key authentication uses PAM to do no more than look up the >> home directory of the user. It actually might not use PAM at all and >> just access the file directly. Locking an account has no effect on >> this form of auth.
>From what I have gathered, if UsePAM is set to yes in the sshd_config file, and public key authentication is used, callbacks will be made only to pam_sm_acct_mgmt and pam_sm_open_session, not pam_sm_authenticate. So only modules of the type session and account will be called in the pam.d/sshd config. The problem, I believe, stems from the fact that none of the modules listed for account and session types check for a locked password in /etc/shadow. The pam_unix module which does the checking, checks in it's _unix_verify_password function in unix_chkpwd.c (line 360). This is not called for the pam_sm_acct_mgmt or pam_sm_open_session functions in that module since there is no password to verify. So, if I want to only have to run one command "passwd -l" to truly lock any account and not deal with setting shells to false or managing some kind of access list, I will either have to modify the pam_unix module, or code my own to perform verification on the shadow file during pam_sm_acct_mgmt or pam_sm_open_session. I believe something similar to this may be what happens on Solaris and AIX, but need to verify. Anyone agree or disagree with this? > Locking an account can actually effect publickey authentication as > long as UsePAM is set to yes in the sshd_config and the linux PAM > function pam_acct_mgmt() is working as it should be (as the Solaris > PAM function does). In this scenario sshd will authenticate the user > with publickey and will then call the pam_acct_mgmt and > pam_open_session functions that should fail based on the locked > account (this is how it works on Solaris). If UsePAM is set to no > these functions wouldn't be called and a locked account would be > allowed by publickey. This is not the case. I have had UsePAM enabled as well as the previous settings you mentioned (trimmed from this email) and the problem still persists. I again believe that there just needs to be some kind of check in a required module when the pam_acct_mgmt function is called. > The best thing anyone can do for SSH security is disable every > non-essential and duplicate authentication method. A typical > configuration I'll use is (auth section only): I totally agree, but it does not appear to fix this issue related to public key authentication in regards to locked accounts. -- Erik R. Jensen /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
