Re: [389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>
>________________________________________
>From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] on behalf of Gordon Messmer [yinyang@xxxxxxxxx]
>Sent: 20 July 2010 18:32
>To: General discussion list for the 389 Directory server project.
>Subject: Re: [389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.
>
>On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
>> Hi There is a bugzilla raised concerns users still being able to
>> login if they have ssh keys even if there ldap account is disabled.
>
>Define "disabled".  If your only flag is the userpassword field, you
>won't find a good solution to this problem, since that field will never
>be used by an ssh session using keys.

Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out. 

I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more.

>
>I believe you can use pam_access(5) to grant login access only to
>members of a group in your directory, and remove users from that group
>when you disable their login access.

That was my plan but it is not perfect...

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux