> Just curious but does this apply only to users who were allowed SSH in > the first place or to everyone?
The PAM module applies to all users and whatever process you configure it for. So, if you add the module to /etc/pam.d/sshd as suggested in the README, it will be used to keep out any user with a locked shadow password whether they are using password or public/private key authentication. It is meant to work with the other modules that already exist such as pam_unix.so to protect your system since it doesn't perform any of the other callback functions except for pam_sm_acct_mgmt. It doesn't mean you can't use it in another pam configuration file for another service. The module is OpenSSH agnostic. > I ask this because my server logs have showed a large number of > connects/rejects for people with usernames eerily similar to > daemon/process names, such as apache,nobody,admin,user etc. The short of it is, unless you've setup public/private key pairs for these users (bad idea) for use with OpenSSH, the pam_unix.so module is already keeping these login attempts out assumming they have not been assigned a password or a weak password which is usually the case. > I would be a little spooked to remove a system process completely from > the system if this were the case. By default these accounts cannot be logged into. Unless you gave them passwords, I wouldn't worry about it. You can verify by looking at your /etc/shadow file. They should have a '*' or a '!' in the password field. -- Erik R. Jensen /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
