On Thu, 2 Oct 2008, Max Bowsher wrote: > In particular, an account "locked" in this fashion becomes ineligible > for ssh logins by public key, as well as by password, when used in this > manner, when OpenSSH is not using PAM. > > I'd quite like to make use of this feature even when OpenSSH *is* using > PAM. Is there any existing way to configure PAM to respect this convention? Hi Max, could you look at pam_access module? Could this be for you good? You can specify either simple users or groups of users allowed or disabled to access pass PAM. Then you can write /etc/security/disabled-access: -:denyaccess:ALL Then create group "denyaccess" and put users in this group. You can later easy remove users or add other users. And then create in sshd pam config (or in common-account): account require pam_access.so accessfile=/etc/security/disabled-access Then try to login with some user using pub-keys, then put this users in the group denyaccess and try to login once more. Is it good enough for you? We have the same configuration for access, but we have also nss-ldap and pam-ldap modules, so I can modify groups in LDAP. And I use rule "deny all, allow any", it means, I have rule -:ALL EXCEPT root allowedaccess:ALL And then I put allowed users into the group allowedaccess. And we use ssh with public keys too. Regards, Wolf. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
