On Fri, 2003-10-31 at 13:27, Kurt Lieber wrote: > Right now, at least on Gentoo, if you lock a user's account with passwd -l > <username>, that user is still able to access their account if they have > ssh keys set up. This is, in my mind, a fairly big security hole. > Googling, I found an issue related to the Solaris implementation of PAM[1] > that was fixed in a later version. > > Does anyone know if there is a way to fix this in Gentoo and/or Linux? (I > don't have access to any non-Gentoo linux boxen atm, so I can't say for > sure if this issue exists on other distros) A tweak to PAM, perhaps? > > --kurt
It's often overlooked but a much easier method for locking a user out is simply to change their default shell to /bin/false or something like it. SSH keys or not, they won't be getting access to the box anytime soon without a default shell. kevyn
signature.asc
Description: This is a digitally signed message part
