Linux locked accounts and PAM
Max Bowsher
maxb at f2s.com
Mon Oct 6 22:35:46 UTC 2008
Robert Wolf wrote:
> On Thu, 2 Oct 2008, Max Bowsher wrote:
>
>> In particular, an account "locked" in this fashion becomes ineligible
>> for ssh logins by public key, as well as by password, when used in this
>> manner, when OpenSSH is not using PAM.
>>
>> I'd quite like to make use of this feature even when OpenSSH *is* using
>> PAM. Is there any existing way to configure PAM to respect this convention?
>
> Hi Max,
>
> could you look at pam_access module? Could this be for you good? You can
> specify either simple users or groups of users allowed or disabled to access
> pass PAM.
Thanks - pam_access is an excellent example of a module I could fairly
trivially modify to achieve the desired effect.
It's not suitable as is, because my desire is to replicate exactly the
semantics of the passwd file without PAM. This is for two reasons:
(1) I have a mix of old and new machines. It would be nice for the same
configuration style to be applicable to both.
(2) I find it appropriate to keep the user status in the existing
/etc/shadow, rather than creating a new config file.
Max.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pam-list/attachments/20081006/d139f7b6/attachment.sig>
More information about the Pam-list
mailing list