Bug#219377: Debian bug #219377: further info
Phillip Hofmeister wrote:
It wouldn't break that functionality if it were made a config file
option...
IMO, making sshd second-guess PAM when UsePAM=yes would be the Wrong
Thing, either all the time or as an option. Speaking as one of the
upstream OpenSSH developers, it is very unlikely that such a patch would
be accepted upstream. Debian is of course welcome to do whatever they
see fit.
If you want that behaviour, you should arrange for PAM to do it.
Putting policy decisions like this in the hands of the system's admin is
the whole point of PAM. (You could do it with a module that tests for
locked accounts in your sshd PAM account stack. Such a module would be
trivial to write if one doesn't already exist.)
Alternatively, you could recompile OpenSSH 3.7.1p2 without PAM, and it
will behave as you wish.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Reply to: