[389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.
Gordon Messmer
yinyang at eburg.com
Wed Jul 21 15:53:48 UTC 2010
On 07/20/2010 11:32 AM, Gerrard Geldenhuis wrote:
> Good point... I define disabled as setting the user as disabled in in
> the console or the user having typed his password wrong to many times
> and then getting locked out.
I don't see "disable" in the console. I do see "inactivate". This adds
the ldap entry to an "inactive" role. As far as I know, any form of
inactivation or lockout in LDAP is merely going to prevent binding to
that ldap entry. The trick is, that doesn't happen with ssh keys. If
you're logging in to a system over ssh, basically the only checks that
matter are: 1) does the user exist and 2) is the key valid? Since the
password is never given, there's no attempt to bind to LDAP.
There are a number of pam_... options available in /etc/ldap.conf, but
I'm not sure if those are used when doing ssh logins with keys. That's
probably worth checking out if you use nss_ldap. There are probably
similar options for nss_sss, but I haven't looked at that yet either. :)
> I still don't understand pam as well as I should but it would make
> sense to me for PAM to "check" LDAP before checking ssh... It does so
> when you don't have ssh keys and would deny a user if he/she is
> disabled. Maybe I should change a password sufficient to password
> required. I guess I need to play around a bit more.
It won't affect sshd. I wouldn't modify the PAM configuration unless
you really know what you're doing. You're more likely to lock yourself
out completely than anything else. If you want sshd to require
passwords, change sshd's configuration so that it doesn't allow key logins.
>> I believe you can use pam_access(5) to grant login access only to
>> members of a group in your directory, and remove users from that
>> group when you disable their login access.
>
> That was my plan but it is not perfect...
What's not suitable about that plan?
More information about the 389-users
mailing list