On 07/20/2010 08:32 PM, Gerrard Geldenhuis wrote: >> On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote: >>> Hi There is a bugzilla raised concerns users still being able to >>> login if they have ssh keys even if there ldap account is disabled. >> >> Define "disabled". If your only flag is the userpassword field, you >> won't find a good solution to this problem, since that field will never >> be used by an ssh session using keys. > > Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out. > > I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more. > >> >> I believe you can use pam_access(5) to grant login access only to >> members of a group in your directory, and remove users from that group >> when you disable their login access. > > That was my plan but it is not perfect... In a stunning coincidence, i was looking at this problem just this morning. :) In my environment not all of the accounts that should be able to log in are in LDAP (some are local to the systems), so while i configured PAM to check LDAP before any local mechanism, i couldn't just lock out a failed LDAP check either. Since a "disabled" user in LDAP could still technically authenticate locally (i.e. against a keyfile), i was running into exactly the same problem you mentioned originally. The LDAP groups here share a 1:1 relationship with Posix groups, which lends itself well to using PAM to control SSH logins based on group membership criteria. With this in mind, i configured PAM to use the "listfile" mechanism, wherein the contents of a simple text file can be compared against a given criteria during the authentication process. In a nutshell, i put the allowed groups - one per line - in /etc/ssh_login_groups, and then put this line at the top of my /etc/pam.d/sshd : auth requisite pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh_login_groups I then created an LDAP group called "disabled", and now instead of deactivating users in the traditional sense, i simply revoke their group membership and put them into the disabled group. Since that group isn't listed in the listfile, they can't login, regardless of any other possibilities. -- Daniel Maher <dma + 389users AT witbe DOT net>
