On Wed, Jul 04, 2001 at 05:18:59PM +1000, Kim Holburn wrote:
> Hello,
>
> I'm not a developer so I hope I'm asking this in the right forum. I am
> using openssh 2.5.2 to 2.9 something on various boxes.
>
> My question is this: If I have a user with ${HOME}/.ssh/authorized_keys
> file with his public key in it and I disable his account by say disabling
> his password in /etc/shadow he can still log in using public key
> authorization!! I want to encourage people to use ssh and to use
> authorization using public keys but I also want to be able to disable
> accounts centrally if I need to. Is this possible?
>
> Kim
I see that ssh 1.2.27 locked out all usage if the shadow file had '*LK*' in
the password field. OpenSSH doesn't appear to do that, maybe it should.
Ah, it does support some of the other shadow password fields; you could do
it by setting the account as expired. See "man shadow" and the
allowed_user()
function in auth.c. You could probably put "1" in the 8th column.
- Dave Dykstra
*******
This email has been swept for viruses by MailSweeper
**********************************************************************
altodigital
altogether better for business
For all you office equipment and supplies
Call 020 7740 0600 or visit www.altodigital.com
This footnote also confirms that this email message has been
swept by altodigital for the presence of computer viruses.
**********************************************************************
