<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35">
<TITLE>RE: locked account accessable via pubkey auth</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>What we're doing is adding the users to a special group called "disabled" and we have "DenyGroups disabled" directive in our sshd_config file. Since we're rolling out an account provisioning tool, we can customized it to add the user to that group when they're disabled. Alternatively, it could be done manually by policies/procedures, but I don't trust our operations folk to get it right.</FONT></P>
<P><FONT SIZE=2>Thanks,</FONT>
<BR><FONT SIZE=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT>
<BR><FONT SIZE=2>Technical Services - Unix Arch.</FONT>
<BR><FONT SIZE=2>314-955-8501</FONT>
</P>
<BR>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Dost, Alexander [<A HREF="mailto:Alexander.Dost@drkw.com">mailto:Alexander.Dost@drkw.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, January 29, 2002 6:28</FONT>
<BR><FONT SIZE=2>To: 'Damien Miller'</FONT>
<BR><FONT SIZE=2>Cc: openssh-unix-dev@mindrot.org</FONT>
<BR><FONT SIZE=2>Subject: RE: locked account accessable via pubkey auth</FONT>
</P>
<BR>
<P><FONT SIZE=2>Thanks for the answer. Funny solution to my problem now is:</FONT>
<BR><FONT SIZE=2>do a passwd -l and -f so the account is expired and locked. When logging in,</FONT>
<BR><FONT SIZE=2>the user is asked to change the password (as password auth is enabled also)</FONT>
<BR><FONT SIZE=2>and entering the old login pw fails :-) Dirty but working. I agree that</FONT>
<BR><FONT SIZE=2>changing the authorized_keys file is a better way.</FONT>
<BR><FONT SIZE=2>Thanks for the help.</FONT>
</P>
<P><FONT SIZE=2>Alex</FONT>
</P>
<P><FONT SIZE=2>> -----Original Message-----</FONT>
<BR><FONT SIZE=2>> From: Damien Miller [SMTP:djm@mindrot.org]</FONT>
<BR><FONT SIZE=2>> Sent: Tuesday, January 29, 2002 13:16</FONT>
<BR><FONT SIZE=2>> To: Dost, Alexander</FONT>
<BR><FONT SIZE=2>> Cc: openssh-unix-dev@mindrot.org</FONT>
<BR><FONT SIZE=2>> Subject: Re: locked account accessable via pubkey auth</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> On Tue, 29 Jan 2002, Dost, Alexander wrote:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> > maybe this is a silly question ;-) But why is it possible to</FONT>
<BR><FONT SIZE=2>> > login on a machine with a locked account (passwd -l ) via</FONT>
<BR><FONT SIZE=2>> > pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on</FONT>
<BR><FONT SIZE=2>> > Solaris8 with PAM support so I thought this should not happen.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > If this is the normal behaviour and built in intentionally what</FONT>
<BR><FONT SIZE=2>> > would be the easiest way to lock an account without deleting the</FONT>
<BR><FONT SIZE=2>> > users authorized_keys ? If not, what output do you need to verify</FONT>
<BR><FONT SIZE=2>> > the problem ?</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> "locking" an account is really locking the password, since you</FONT>
<BR><FONT SIZE=2>> are not using password authentication this is ignored. </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> A way that should work is to mark the account as expired, or</FONT>
<BR><FONT SIZE=2>> just rename the ~/.ssh/authorized_keys file</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> -d</FONT>
</P>
<BR>
<P><FONT SIZE=2>If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to</FONT></P>
<P><FONT SIZE=2><A HREF="http://www.drkw.com/disc/email/" TARGET="_blank">http://www.drkw.com/disc/email/</A> or contact the sender.</FONT>
<BR><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT SIZE=2><A HREF="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev" TARGET="_blank">http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P>
<CODE><FONT SIZE=3><BR>
<BR>
***************************************************************************************<BR>
WARNING: All e-mail sent to and from this address will be received or<BR>
otherwise recorded by the A.G. Edwards corporate e-mail system and is<BR>
subject to archival, monitoring or review by, and/or disclosure to,<BR>
someone other than the recipient.<BR>
***************************************************************************************<BR>
</FONT></CODE></BODY>
</HTML>