Robert Wolf wrote: > On Thu, 2 Oct 2008, Max Bowsher wrote: > >> In particular, an account "locked" in this fashion becomes ineligible >> for ssh logins by public key, as well as by password, when used in this >> manner, when OpenSSH is not using PAM. >> >> I'd quite like to make use of this feature even when OpenSSH *is* using >> PAM. Is there any existing way to configure PAM to respect this convention? > > Hi Max, > > could you look at pam_access module? Could this be for you good? You can > specify either simple users or groups of users allowed or disabled to access > pass PAM. Thanks - pam_access is an excellent example of a module I could fairly trivially modify to achieve the desired effect. It's not suitable as is, because my desire is to replicate exactly the semantics of the passwd file without PAM. This is for two reasons: (1) I have a mix of old and new machines. It would be nice for the same configuration style to be applicable to both. (2) I find it appropriate to keep the user status in the existing /etc/shadow, rather than creating a new config file. Max.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
