locked account accessable via pubkey auth
Lacoss-Arnold, Jason
Jason.Lacoss-Arnold at AGEDWARDS.com
Tue Jan 29 23:37:09 EST 2002
What we're doing is adding the users to a special group called "disabled"
and we have "DenyGroups disabled" directive in our sshd_config file. Since
we're rolling out an account provisioning tool, we can customized it to add
the user to that group when they're disabled. Alternatively, it could be
done manually by policies/procedures, but I don't trust our operations folk
to get it right.
Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501
-----Original Message-----
From: Dost, Alexander [mailto:Alexander.Dost at drkw.com]
Sent: Tuesday, January 29, 2002 6:28
To: 'Damien Miller'
Cc: openssh-unix-dev at mindrot.org
Subject: RE: locked account accessable via pubkey auth
Thanks for the answer. Funny solution to my problem now is:
do a passwd -l and -f so the account is expired and locked. When logging in,
the user is asked to change the password (as password auth is enabled also)
and entering the old login pw fails :-) Dirty but working. I agree that
changing the authorized_keys file is a better way.
Thanks for the help.
Alex
> -----Original Message-----
> From: Damien Miller [SMTP:djm at mindrot.org]
> Sent: Tuesday, January 29, 2002 13:16
> To: Dost, Alexander
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: locked account accessable via pubkey auth
>
> On Tue, 29 Jan 2002, Dost, Alexander wrote:
>
> > maybe this is a silly question ;-) But why is it possible to
> > login on a machine with a locked account (passwd -l ) via
> > pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on
> > Solaris8 with PAM support so I thought this should not happen.
> >
> > If this is the normal behaviour and built in intentionally what
> > would be the easiest way to lock an account without deleting the
> > users authorized_keys ? If not, what output do you need to verify
> > the problem ?
>
> "locking" an account is really locking the password, since you
> are not using password authentication this is ignored.
>
> A way that should work is to mark the account as expired, or
> just rename the ~/.ssh/authorized_keys file
>
> -d
If you have received this e-mail in error or wish to read our e-mail
disclaimer statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
***************************************************************************************
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020129/35ead2cb/attachment.html
More information about the openssh-unix-dev
mailing list