Linux locked accounts and PAM
Scott Ruckh
sruckh at gemneye.org
Sat Oct 4 22:31:49 UTC 2008
> On 04.10.2008 22:13, Scott Ruckh wrote:
>> Instead of prefixing hash with "!" use "*" instead. Still an impossible
>> password hash, and will work with PKA.
>>
> That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password
> hash at all. The matter is that SSH public key authentication can be used
> to bypass password hash based authentication and restrictions it may
> impose, i. e. it allows other host to connect as a service account for
> backup purpose, for example, while it's still impossible to log in as that
> account in general. So in order to disallow some user logging in one must
> also either modify sshd_config or rename ~user/.ssh/authorized_keys to
> reflect the logging in prohibition, in addition to locking that user
> password hash.
> --
>
I was under the impression the question was how to use PKA and allow logins
but do not allow interactive shell logins through passwords entered using
keyboard. In my experience when the password hash is just "!!" PKA is not
allowed, but if the password hash is "**", then PKA is allowed. I
apparently mis-understood the original question. In my environment the
user's .ssh directories are set so that only a root user can modify the
authorized_keys file, the AllowGroups directive is used in the sshd_config
file, and pam_access is used.
More information about the Pam-list
mailing list