On Wed, Jul 04, 2001 at 05:18:59PM +1000, Kim Holburn wrote:
> Hello,
>
> I'm not a developer so I hope I'm asking this in the right forum. I am
> using openssh 2.5.2 to 2.9 something on various boxes.
>
> My question is this: If I have a user with ${HOME}/.ssh/authorized_keys
> file with his public key in it and I disable his account by say disabling
> his password in /etc/shadow he can still log in using public key
> authorization!! I want to encourage people to use ssh and to use
> authorization using public keys but I also want to be able to disable
> accounts centrally if I need to. Is this possible?
>
> Kim
I see that ssh 1.2.27 locked out all usage if the shadow file had '*LK*' in
the password field. OpenSSH doesn't appear to do that, maybe it should.
Ah, it does support some of the other shadow password fields; you could do
it by setting the account as expired. See "man shadow" and the allowed_user()
function in auth.c. You could probably put "1" in the 8th column.
- Dave Dykstra
