Linux locked accounts and PAM
Robert Wolf
r.wolf.gentoo at atlas.cz
Fri Oct 3 07:28:57 UTC 2008
On Thu, 2 Oct 2008, Max Bowsher wrote:
> In particular, an account "locked" in this fashion becomes ineligible
> for ssh logins by public key, as well as by password, when used in this
> manner, when OpenSSH is not using PAM.
>
> I'd quite like to make use of this feature even when OpenSSH *is* using
> PAM. Is there any existing way to configure PAM to respect this convention?
Hi Max,
could you look at pam_access module? Could this be for you good? You can
specify either simple users or groups of users allowed or disabled to access
pass PAM.
Then you can write /etc/security/disabled-access:
-:denyaccess:ALL
Then create group "denyaccess" and put users in this group. You can later easy
remove users or add other users.
And then create in sshd pam config (or in common-account):
account require pam_access.so accessfile=/etc/security/disabled-access
Then try to login with some user using pub-keys, then put this users in the
group denyaccess and try to login once more.
Is it good enough for you?
We have the same configuration for access, but we have also nss-ldap and
pam-ldap modules, so I can modify groups in LDAP. And I use rule "deny all,
allow any", it means, I have rule
-:ALL EXCEPT root allowedaccess:ALL
And then I put allowed users into the group allowedaccess. And we use ssh with
public keys too.
Regards,
Wolf.
More information about the Pam-list
mailing list