Bug#219377: Debian bug #219377: further info
It wouldn't break that functionality if it were made a config file
option...
On Sun, 22 Feb 2004 at 12:45:07PM -0500, Colin Watson wrote:
> severity 219377 wishlist
> thanks
>
> On Sun, Nov 09, 2003 at 05:38:09PM +1100, Darren Tucker wrote:
> > I have some further info regarding the Debian bug you reported ("sshd
> > ignores PAM lockout when using pubkey auth").
> >
> > Recently this was addressed in the upstream source (3.7p1 and up) for the
> > non-PAM case. On platforms that have a concept of a locked account, sshd
> > checks for the specific string that denotes a locked account on that
> > platform.
> >
> > When running with PAM enabled, however, sshd delegates all account checks
> > to PAM. Thus the locked account check should be done by PAM (probably in
> > pam_acct_mgmt).
> >
> > Later patchlevels of Solaris do this kind of check in PAM (I think in
> > pam_acct_mgmt, but I'm not sure of that).
>
> To lock an account, I think you should set the shell to /bin/false or
> /dev/null or similar. Having asked around, I know people who
> deliberately lock the password to force public-key authentication only;
> implementing this feature request would break that facility.
>
> Cheers,
>
> --
> Colin Watson [cjwatson@flatline.org.uk]
--
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Reply to: