OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Linux locked accounts and PAM

From: Max Bowsher (maxbf2s.com)
Date: Mon Oct 06 2008 - 17:35:46 CDT


Robert Wolf wrote:
> On Thu, 2 Oct 2008, Max Bowsher wrote:
>
>> In particular, an account "locked" in this fashion becomes ineligible
>> for ssh logins by public key, as well as by password, when used in this
>> manner, when OpenSSH is not using PAM.
>>
>> I'd quite like to make use of this feature even when OpenSSH *is* using
>> PAM. Is there any existing way to configure PAM to respect this convention?
>
> Hi Max,
>
> could you look at pam_access module? Could this be for you good? You can
> specify either simple users or groups of users allowed or disabled to access
> pass PAM.

Thanks - pam_access is an excellent example of a module I could fairly
trivially modify to achieve the desired effect.

It's not suitable as is, because my desire is to replicate exactly the
semantics of the passwd file without PAM. This is for two reasons:

(1) I have a mix of old and new machines. It would be nice for the same
configuration style to be applicable to both.

(2) I find it appropriate to keep the user status in the existing
/etc/shadow, rather than creating a new config file.

Max.

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list