Linux locked accounts and PAM

Scott Ruckh sruckh at gemneye.org
Sat Oct 4 22:31:49 UTC 2008


> On 04.10.2008 22:13, Scott Ruckh wrote:
>> Instead of prefixing hash with "!" use "*" instead.  Still an impossible
>> password hash, and will work with PKA.
>>
> That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password 
> hash at all. The matter is that SSH public key authentication can be used 
> to bypass password hash based authentication and restrictions it may 
> impose, i. e. it allows other host to connect as a service account for 
> backup purpose, for example, while it's still impossible to log in as that 
> account in general. So in order to disallow some user logging in one must 
> also either modify sshd_config or rename ~user/.ssh/authorized_keys to 
> reflect the logging in prohibition, in addition to locking that user 
> password hash.
> -- 
>

I was under the impression the question was how to use PKA and allow logins 
but do not allow interactive shell logins through passwords entered using 
keyboard.  In my experience when the password hash is just "!!" PKA is not 
allowed, but if the password hash is "**", then PKA is allowed.  I 
apparently mis-understood the original question.  In my environment the 
user's .ssh directories are set so that only a root user can modify the 
authorized_keys file, the AllowGroups directive is used in the sshd_config 
file, and pam_access is used.





More information about the Pam-list mailing list