PAM auth with disabled user

Peter Michalek peter.michalek at centrify.com
Fri Feb 3 04:06:33 EST 2006 

Here is a complete screenshot.

After failing in Kerberos "keybord-interactive", authentication falls to
the local "password authentication" (this would happen both before and
after modifications, the only difference is the extra message indicating
the account is locked).


ssh fred.dref at rhel3-host
Red Hat Enterprise Linux ES release 3 (Taroon Update 2)
Kernel \r on an \m

Password: 
Account cannot be accessed at this time. Please contact your system
administrator

Password: 
Account cannot be accessed at this time. Please contact your system
administrator

Password: 
Account cannot be accessed at this time. Please contact your system
administrator

fred.dref at rhel3-host's password: 
Permission denied, please try again.
fred.dref at rhel3-host's password: 
Received disconnect from 192.168.175.50: 2: Too many authentication
failures for fred.dref


----------
Without the changes, this is what would happens:

ssh fred.dref at rhel3-host
Red Hat Enterprise Linux ES release 3 (Taroon Update 2)
Kernel \r on an \m

Password: 
Password: 
Password: 
fred.dref at rhel3-host's password: 
Permission denied, please try again.
fred.dref at rhel3-host's password: 
Received disconnect from 192.168.175.50: 2: Too many authentication
failures for fred.dref



-----Original Message-----
From: Darren Tucker [mailto:dtucker at zip.com.au] 
Sent: Thursday, February 02, 2006 1:34 AM
To: Peter Michalek
Cc: openssh-unix-dev at mindrot.org; Paul Moore
Subject: Re: Red: PAM auth with disabled user

On Wed, Feb 01, 2006 at 05:28:40PM -0800, Peter Michalek wrote:
> The patch you suggested works OK, I tried it on the snapshot of
1/28/06
> using a user authenticated via GSSAPI/Kerberos, with this result,
which
> I think is acceptable:
[...]

It's not clear to me from the output, but does the connection close
after
the PAM account check failed?

> Could we make this part of the openssh sourcebase?

I think so, once it's clear that it's doing what it is intended, which
is to make the behaviour more consistent with the different auth
methods.
(Damien?)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list