Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth
Phillip Hofmeister writes:
> Package: ssh
> Version: 3.4p1-1.woody.3
> Severity: Important
>
> If a ~/.ssh/authorized_key file exists and a user's account is locked
> with 'passwd -l' the user can still log in despite the locked account.
This is trivially true - all passwd -l does it make the password field
in the {shadow,passwd} file be a value that nothing encrypts to, thus
preventing successful password authentication.
If a user is using publickey authentication, then no password check is
made (that's rather the point) - therefore it will be impossible to
disable access by simply fiddling with the password file.
Accordingly, if a sysadmin wants to be able to disable accounts using
passwd -l, then they'll have to enforce password authentication on all
logins.
Matthew
--
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org
Reply to: