> >________________________________________ >From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Gordon Messmer [yinyang at eburg.com] >Sent: 20 July 2010 18:32 >To: General discussion list for the 389 Directory server project. >Subject: Re: Preventing ssh keys from granting a user access when LDAP account is disabled. > >On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote: >> Hi There is a bugzilla raised concerns users still being able to >> login if they have ssh keys even if there ldap account is disabled. > >Define "disabled". If your only flag is the userpassword field, you >won't find a good solution to this problem, since that field will never >be used by an ssh session using keys. Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out. I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more. > >I believe you can use pam_access(5) to grant login access only to >members of a group in your directory, and remove users from that group >when you disable their login access. That was my plan but it is not perfect... ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
