|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On 04.10.2008 22:13, Scott Ruckh wrote:That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password hash at all. The matter is that SSH public key authentication can be used to bypass password hash based authentication and restrictions it may impose, i. e. it allows other host to connect as a service account for backup purpose, for example, while it's still impossible to log in as that account in general. So in order to disallow some user logging in one must also either modify sshd_config or rename ~user/.ssh/authorized_keys to reflect the logging in prohibition, in addition to locking that user password hash.Instead of prefixing hash with "!" use "*" instead. Still an impossible password hash, and will work with PKA.--
I was under the impression the question was how to use PKA and allow logins but do not allow interactive shell logins through passwords entered using keyboard. In my experience when the password hash is just "!!" PKA is not allowed, but if the password hash is "**", then PKA is allowed. I apparently mis-understood the original question. In my environment the user's .ssh directories are set so that only a root user can modify the authorized_keys file, the AllowGroups directive is used in the sshd_config file, and pam_access is used.
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list