Scott Ruckh wrote: >>> Instead of prefixing hash with "!" use "*" instead. Still an impossible >>> password hash, and will work with PKA. >>> >> That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password >> hash at all. The matter is that SSH public key authentication can be >> used to bypass password hash based authentication and restrictions it >> may impose, i. e. it allows other host to connect as a service account >> for backup purpose, for example, while it's still impossible to log in >> as that account in general. So in order to disallow some user logging >> in one must also either modify sshd_config or rename >> ~user/.ssh/authorized_keys to reflect the logging in prohibition, in >> addition to locking that user password hash. > > I was under the impression the question was how to use PKA and allow > logins but do not allow interactive shell logins through passwords > entered using keyboard. In my experience when the password hash is just > "!!" PKA is not allowed, but if the password hash is "**", then PKA is > allowed. I apparently mis-understood the original question. In my > environment the user's .ssh directories are set so that only a root user > can modify the authorized_keys file, the AllowGroups directive is used > in the sshd_config file, and pam_access is used. No, you've got my question backwards :-) I know about the special behaviour of "!" in a password field when SSH is managing authentication itself. My point is that this special behavior does NOT exist any more when SSH is authenticating via PAM - but I want it to! Max.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
