sshd allows login for locked using publickey authentication

When authenticating a user by a publickey, sshd grants access to that
account even if its locked by “passwd -l”. Seems like sshd is working
the way it is designed. sshd assumes that the key represents a succesful
pam_authenticate and only calls pam_acct_mgmt. Unfortunately
pam_authenticate and not pam_acct_mgmt is doing the locked account
check, so the user is granted access.

Does anybody know a workaround for this? Maybe add an additional
PAM-module in the stack or modify /etc/pam.d/sshd in any way?

Tested on SLES9-SLES11.


dosys-T2

dosys-T2’s Profile: http://forums.novell.com/member.php?userid=66677
View this thread: http://forums.novell.com/showthread.php?t=449028

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you tried using ‘usermod’ with its -L option? I have not, but it
may be worth doing since I believe it locks another way so PAM may see
that one (vs. passwd which just makes the password invalid and therefore
unusable, but that does not affect your user who is not using a password).

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO2GuqAAoJEF+XTK08PnB5H2cQAJGi3gqmdw3FBTmv7XQ4GlN9
2CK+XdCnX4birxM4MPrK7AZTNVPAhH7n5vAq5TiCSmu8XkfZoR1YTH1l2FT6QnDX
CugnU/rGXmzCwFOzMfmuh42kq7t1HxFftCQ3LBt7PkIQzJwf71Y2tycNnl2h8EPB
U/FZPULE31QhhGft5F5qLpgI/vo+PuISvcccpinHw2fhMA/RXzSsNK8SGIbRku1l
Dw9VP7+r5nAIT0HWAmpmx5+D+hwaDgGVvv2v7qeX02JwnXrjN0oRAUtueWiDyT4S
erz0guN2l4N2PzcQnkPqAOGfXN8K4WHgXAVl+LkDWek99dlkLQ0In5K21jM+D0F7
QX5Auy2oWLSzARgqY8tqoLTw/klG7O7cUjb2c1wv2m1jvxsTwKjq57TnTeGdMvkH
IQEW1WDW6k2v6t1hToZB+QYruXDpxMErSC4ss9l0LqWJZ5DU+EXcA6GpjR7kmm98
VdHLDdFU9wlxFyw+n4p8q1C5Wf4iz1iPKNi47jJcoRbrms3ME6qV0KwoY+niUyrm
wzf12+46il2qxd/8L30rIXBaovNK+6os5yiD9102QFGItzyigMgGWMDRwmk0RSlK
Ah/IfaqqHEdZlsfIT/hpKN9tN9uuSUe9g1pQEm9mshmz3DXEGBR+yaMrLZ8F48fQ
rNnwx1c1wkdq2IgGxTts
=TZ6s
-----END PGP SIGNATURE-----

“usermod -L” shows the same effect.


dosys-T2

dosys-T2’s Profile: http://forums.novell.com/member.php?userid=66677
View this thread: http://forums.novell.com/showthread.php?t=449028

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bummer. You may want to create a script or something that, when you
lock a user, also renames their ~username/.ssh/authorized_keys file to
something like ~username/.ssh/authorized_keys.locked and with about ten
lines of shell scripting you could user usermod-dosys or passwd-dosys
which looks for the ‘-L’ or ‘-l’ and acts accordingly if there,
otherwise just passes through all of the arguments to the real command.

If you work out how to make Pam check password authentication info when
doing passwordless stuff please post back, though.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO2MB6AAoJEF+XTK08PnB5FmkP/0fUS4nbtHOn/NjPO8jM8Mk8
J1raklvDDrDB8dox0vmBa5H6pWlg19TPjmupOfXWKwBhzsgOssJL4/bSixtkH3hJ
A/lVvj1hMN+DlOsLpR4rr+EBwEVypRCLykQFCmcRSdRP22C+//KsuUCzVFoDSc31
Yl9Oiesw4MbMlEoEXEau1NQe0Xv+zlrdU95ras3ZZuaLxYjQYnwltuZv6P5ypChK
mda6jgiA2Sj7HtwpUr3sE6SiXzI2DNmb6GJ15a/2EjgTSNks59vjyBLLdcMEzS7l
e3VP9+kSfPrCqylAOjwlLbMxJIDwv7fvf7a2WLI8jj+yg5IKUN/F11Vrlltj68h8
Bf810tZxiJr1tVbKXlzYHLIHecd0Xd6oGMRM5uQPA047oZJjA/i9iSzcANSBdgFf
v6FBwxBFI9kEmjHZJENGwmmYhx4jDdDLL3VthISXFyxSXvx0Bdio7FOTwePkqFYK
dqVJaCn30ISZ334gJ3FgTsDLbVd9d0EUYk/zswiPUMXz2J2XZrnPzQR5UV2sK0GB
vwN2dr2ixJZB18DdXEF8J5I3jl27/glE8CoJtcxIUmhyZRyPRO+/rKa0JuQWCmQ2
Nxt1Yebuinm6zgt/Qb40J3YZMEbCijsZAX+yQXdTRLhFbfO81J/ACil5A5Fj1hqk
E5+EhwVdvwimkLMSxXI2
=pGhn
-----END PGP SIGNATURE-----

On Fri, 02 Dec 2011 06:56:02 +0000, dosys-T2 wrote:
[color=blue]

“usermod -L” shows the same effect.[/color]

I’d be inclined to remove their host key from the user’s authorized_keys
file or just remove the authorized_keys file altogether. That would
prevent pubkey authentication from running at all.

Jim


Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner

  • dosys-T2 (Fri, 02 Dec 2011 06:06:02 GMT)[color=blue]

When authenticating a user by a publickey, sshd grants access to that
account even if its locked by “passwd -l”. Seems like sshd is working
the way it is designed. sshd assumes that the key represents a
succesful pam_authenticate and only calls pam_acct_mgmt. Unfortunately
pam_authenticate and not pam_acct_mgmt is doing the locked account
check, so the user is granted access.

Does anybody know a workaround for this?[/color]

“UseLogin yes” in sshd_config. Be sure to read man sshd_config for the
mentioned value before that.

Thorsten