[389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.

[Gerrard Geldenhuis]

>
>________________________________________
>From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Gordon Messmer [yinyang at eburg.com]
>Sent: 20 July 2010 18:32
>To: General discussion list for the 389 Directory server project.
>Subject: Re: [389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.
>
>On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
>> Hi There is a bugzilla raised concerns users still being able to
>> login if they have ssh keys even if there ldap account is disabled.
>
>Define "disabled".  If your only flag is the userpassword field, you
>won't find a good solution to this problem, since that field will never
>be used by an ssh session using keys.

Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out. 

I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more.

>
>I believe you can use pam_access(5) to grant login access only to
>members of a group in your directory, and remove users from that group
>when you disable their login access.

That was my plan but it is not perfect...

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________