locked account accessable via pubkey auth
Dost, Alexander
Alexander.Dost at drkw.com
Tue Jan 29 23:28:07 EST 2002
Thanks for the answer. Funny solution to my problem now is:
do a passwd -l and -f so the account is expired and locked. When logging in,
the user is asked to change the password (as password auth is enabled also)
and entering the old login pw fails :-) Dirty but working. I agree that
changing the authorized_keys file is a better way.
Thanks for the help.
Alex
> -----Original Message-----
> From: Damien Miller [SMTP:djm at mindrot.org]
> Sent: Tuesday, January 29, 2002 13:16
> To: Dost, Alexander
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: locked account accessable via pubkey auth
>
> On Tue, 29 Jan 2002, Dost, Alexander wrote:
>
> > maybe this is a silly question ;-) But why is it possible to
> > login on a machine with a locked account (passwd -l ) via
> > pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on
> > Solaris8 with PAM support so I thought this should not happen.
> >
> > If this is the normal behaviour and built in intentionally what
> > would be the easiest way to lock an account without deleting the
> > users authorized_keys ? If not, what output do you need to verify
> > the problem ?
>
> "locking" an account is really locking the password, since you
> are not using password authentication this is ignored.
>
> A way that should work is to mark the account as expired, or
> just rename the ~/.ssh/authorized_keys file
>
> -d
If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.
More information about the openssh-unix-dev
mailing list