Linux locked accounts and PAM
Dan Yefimov
dan at nf15.lightwave.net.ru
Sat Oct 4 18:39:50 UTC 2008
On 04.10.2008 22:13, Scott Ruckh wrote:
> Instead of prefixing hash with "!" use "*" instead. Still an impossible
> password hash, and will work with PKA.
>
That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password hash at
all. The matter is that SSH public key authentication can be used to bypass
password hash based authentication and restrictions it may impose, i. e. it
allows other host to connect as a service account for backup purpose, for
example, while it's still impossible to log in as that account in general. So in
order to disallow some user logging in one must also either modify sshd_config
or rename ~user/.ssh/authorized_keys to reflect the logging in prohibition, in
addition to locking that user password hash.
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list