Line | |
---|
1 | # $Id$ |
---|
2 | |
---|
3 | =head1 INTRODUCTION |
---|
4 | |
---|
5 | The goal of this docmuentation is to give soo clue about how to manage usuall |
---|
6 | issue with this software. |
---|
7 | |
---|
8 | =head1 FAQ |
---|
9 | |
---|
10 | =head2 Denying to locked user to login using SSH with key |
---|
11 | |
---|
12 | There is no way on linux to deny to expired or locked user to login using ssh |
---|
13 | and ssh key because sshd simply skip the authentification step on PAM and both |
---|
14 | checks are done here. |
---|
15 | |
---|
16 | On way could be to change the shell, this is what is done for standard C<passwd> |
---|
17 | database but you immediatelly feel this method is ugly and complex to code. |
---|
18 | |
---|
19 | After some wonder about how to do here the solution found as the best. |
---|
20 | |
---|
21 | In C<sshd_config> you can define users and groups not allow to login, and |
---|
22 | because this is managed by C<sshd> itself it will work whatever the login method |
---|
23 | is used. |
---|
24 | |
---|
25 | In the L<LATMOS::Accounts> database create groups to match user's states one for |
---|
26 | locked user and one for expired users (unexported user don't exists anymore, no |
---|
27 | need to filter them). |
---|
28 | |
---|
29 | Now add to both an C<autoMemberFilter> to match thoses users: |
---|
30 | |
---|
31 | For locked users: |
---|
32 | autoMemberFilter: unexported=0 |
---|
33 | autoMemberFilter: locked=* |
---|
34 | |
---|
35 | For expired users: |
---|
36 | autoMemberFilter: unexported=0 |
---|
37 | autoMemberFilter: expired=* |
---|
38 | |
---|
39 | Now add to you C<sshd_config>: |
---|
40 | |
---|
41 | DenyGroups expired locked |
---|
42 | |
---|
43 | where C<expired> and C<locked> are the name of both groups. |
---|
44 | |
---|
45 | You're done, both groups will be update automatically according user's status |
---|
46 | and C<sshd> will reject them. |
---|
47 | |
---|
Note: See
TracBrowser
for help on using the repository browser.