When authenticating a user by a publickey, sshd grants access to that
account even if its locked by “passwd -l”. Seems like sshd is working
the way it is designed. sshd assumes that the key represents a succesful
pam_authenticate and only calls pam_acct_mgmt. Unfortunately
pam_authenticate and not pam_acct_mgmt is doing the locked account
check, so the user is granted access.
Does anybody know a workaround for this? Maybe add an additional
PAM-module in the stack or modify /etc/pam.d/sshd in any way?
Have you tried using ‘usermod’ with its -L option? I have not, but it
may be worth doing since I believe it locks another way so PAM may see
that one (vs. passwd which just makes the password invalid and therefore
unusable, but that does not affect your user who is not using a password).
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Bummer. You may want to create a script or something that, when you
lock a user, also renames their ~username/.ssh/authorized_keys file to
something like ~username/.ssh/authorized_keys.locked and with about ten
lines of shell scripting you could user usermod-dosys or passwd-dosys
which looks for the ‘-L’ or ‘-l’ and acts accordingly if there,
otherwise just passes through all of the arguments to the real command.
If you work out how to make Pam check password authentication info when
doing passwordless stuff please post back, though.
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On Fri, 02 Dec 2011 06:56:02 +0000, dosys-T2 wrote:
[color=blue]
“usermod -L” shows the same effect.[/color]
I’d be inclined to remove their host key from the user’s authorized_keys
file or just remove the authorized_keys file altogether. That would
prevent pubkey authentication from running at all.
dosys-T2 (Fri, 02 Dec 2011 06:06:02 GMT)[color=blue]
When authenticating a user by a publickey, sshd grants access to that
account even if its locked by “passwd -l”. Seems like sshd is working
the way it is designed. sshd assumes that the key represents a
succesful pam_authenticate and only calls pam_acct_mgmt. Unfortunately
pam_authenticate and not pam_acct_mgmt is doing the locked account
check, so the user is granted access.
Does anybody know a workaround for this?[/color]
“UseLogin yes” in sshd_config. Be sure to read man sshd_config for the
mentioned value before that.