On 07/20/2010 08:32 PM, Gerrard Geldenhuis wrote:
>> On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
>>> Hi There is a bugzilla raised concerns users still being able to
>>> login if they have ssh keys even if there ldap account is disabled.
>> Define "disabled". If your only flag is the userpassword field, you
>> won't find a good solution to this problem, since that field will never
>> be used by an ssh session using keys.
> Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out.
> I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more.
>> I believe you can use pam_access(5) to grant login access only to
>> members of a group in your directory, and remove users from that group
>> when you disable their login access.
> That was my plan but it is not perfect...
In a stunning coincidence, i was looking at this problem just this
In my environment not all of the accounts that should be able to log in
are in LDAP (some are local to the systems), so while i configured PAM
to check LDAP before any local mechanism, i couldn't just lock out a
failed LDAP check either. Since a "disabled" user in LDAP could still
technically authenticate locally (i.e. against a keyfile), i was running
into exactly the same problem you mentioned originally.
The LDAP groups here share a 1:1 relationship with Posix groups, which
lends itself well to using PAM to control SSH logins based on group
membership criteria. With this in mind, i configured PAM to use the
"listfile" mechanism, wherein the contents of a simple text file can be
compared against a given criteria during the authentication process.
In a nutshell, i put the allowed groups - one per line - in
/etc/ssh_login_groups, and then put this line at the top of my
auth requisite pam_listfile.so onerr=fail item=group sense=allow
I then created an LDAP group called "disabled", and now instead of
deactivating users in the traditional sense, i simply revoke their group
membership and put them into the disabled group. Since that group isn't
listed in the listfile, they can't login, regardless of any other
Daniel Maher <dma + 389users AT witbe DOT net>
389 users mailing list