1 |
On Fri, 2003-10-31 at 13:27, Kurt Lieber wrote: |
2 |
> Right now, at least on Gentoo, if you lock a user's account with passwd -l |
3 |
> <username>, that user is still able to access their account if they have |
4 |
> ssh keys set up. This is, in my mind, a fairly big security hole. |
5 |
> Googling, I found an issue related to the Solaris implementation of PAM[1] |
6 |
> that was fixed in a later version. |
7 |
> |
8 |
> Does anyone know if there is a way to fix this in Gentoo and/or Linux? (I |
9 |
> don't have access to any non-Gentoo linux boxen atm, so I can't say for |
10 |
> sure if this issue exists on other distros) A tweak to PAM, perhaps? |
11 |
> |
12 |
> --kurt |
13 |
|
14 |
It's often overlooked but a much easier method for locking a user out is |
15 |
simply to change their default shell to /bin/false or something like it. |
16 |
SSH keys or not, they won't be getting access to the box anytime soon |
17 |
without a default shell. |
18 |
|
19 |
kevyn |