On 04.10.2008 22:13, Scott Ruckh wrote:
Instead of prefixing hash with "!" use "*" instead. Still an impossible
password hash, and will work with PKA.
That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password hash at
all. The matter is that SSH public key authentication can be used to bypass
password hash based authentication and restrictions it may impose, i. e. it
allows other host to connect as a service account for backup purpose, for
example, while it's still impossible to log in as that account in general. So in
order to disallow some user logging in one must also either modify sshd_config
or rename ~user/.ssh/authorized_keys to reflect the logging in prohibition, in
addition to locking that user password hash.
--
Sincerely Your, Dan.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
