| 1 |
On Fri, 2003-10-31 at 13:27, Kurt Lieber wrote: |
| 2 |
> Right now, at least on Gentoo, if you lock a user's account with passwd -l |
| 3 |
> <username>, that user is still able to access their account if they have |
| 4 |
> ssh keys set up. This is, in my mind, a fairly big security hole. |
| 5 |
> Googling, I found an issue related to the Solaris implementation of PAM[1] |
| 6 |
> that was fixed in a later version. |
| 7 |
> |
| 8 |
> Does anyone know if there is a way to fix this in Gentoo and/or Linux? (I |
| 9 |
> don't have access to any non-Gentoo linux boxen atm, so I can't say for |
| 10 |
> sure if this issue exists on other distros) A tweak to PAM, perhaps? |
| 11 |
> |
| 12 |
> --kurt |
| 13 |
|
| 14 |
It's often overlooked but a much easier method for locking a user out is |
| 15 |
simply to change their default shell to /bin/false or something like it. |
| 16 |
SSH keys or not, they won't be getting access to the box anytime soon |
| 17 |
without a default shell. |
| 18 |
|
| 19 |
kevyn |
Archives