Linux locked accounts and PAM

Max Bowsher maxb at f2s.com
Mon Oct 6 22:40:22 UTC 2008


Scott Ruckh wrote:
>>> Instead of prefixing hash with "!" use "*" instead.  Still an impossible
>>> password hash, and will work with PKA.
>>>
>> That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password
>> hash at all. The matter is that SSH public key authentication can be
>> used to bypass password hash based authentication and restrictions it
>> may impose, i. e. it allows other host to connect as a service account
>> for backup purpose, for example, while it's still impossible to log in
>> as that account in general. So in order to disallow some user logging
>> in one must also either modify sshd_config or rename
>> ~user/.ssh/authorized_keys to reflect the logging in prohibition, in
>> addition to locking that user password hash.
> 
> I was under the impression the question was how to use PKA and allow
> logins but do not allow interactive shell logins through passwords
> entered using keyboard.  In my experience when the password hash is just
> "!!" PKA is not allowed, but if the password hash is "**", then PKA is
> allowed.  I apparently mis-understood the original question.  In my
> environment the user's .ssh directories are set so that only a root user
> can modify the authorized_keys file, the AllowGroups directive is used
> in the sshd_config file, and pam_access is used.

No, you've got my question backwards :-)

I know about the special behaviour of "!" in a password field when SSH
is managing authentication itself. My point is that this special
behavior does NOT exist any more when SSH is authenticating via PAM -
but I want it to!

Max.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pam-list/attachments/20081006/767ca3d9/attachment.sig>


More information about the Pam-list mailing list