On 04.10.2008 22:13, Scott Ruckh wrote:
Instead of prefixing hash with "!" use "*" instead. Still an impossible
password hash, and will work with PKA.
That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password
hash at all. The matter is that SSH public key authentication can be used
to bypass password hash based authentication and restrictions it may
impose, i. e. it allows other host to connect as a service account for
backup purpose, for example, while it's still impossible to log in as that
account in general. So in order to disallow some user logging in one must
also either modify sshd_config or rename ~user/.ssh/authorized_keys to
reflect the logging in prohibition, in addition to locking that user
password hash.
--
I was under the impression the question was how to use PKA and allow logins
but do not allow interactive shell logins through passwords entered using
keyboard. In my experience when the password hash is just "!!" PKA is not
allowed, but if the password hash is "**", then PKA is allowed. I
apparently mis-understood the original question. In my environment the
user's .ssh directories are set so that only a root user can modify the
authorized_keys file, the AllowGroups directive is used in the sshd_config
file, and pam_access is used.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
