source: trunk/LATMOS-Accounts/man/man8/latmos-accounts-faq.pod @ 1962

# $Id$

=head1 INTRODUCTION

The goal of this docmuentation is to give soo clue about how to manage usuall
issue with this software.

=head1 FAQ

=head2 Denying to locked user to login using SSH with key

There is no way on linux to deny to expired or locked user to login using ssh
and ssh key because sshd simply skip the authentification step on PAM and both
checks are done here.

On way could be to change the shell, this is what is done for standard C<passwd>
database but you immediatelly feel this method is ugly and complex to code.

After some wonder about how to do here the solution found as the best.

In C<sshd_config> you can define users and groups not allow to login, and
because this is managed by C<sshd> itself it will work whatever the login method
is used.

In the L<LATMOS::Accounts> database create groups to match user's states one for
locked user and one for expired users (unexported user don't exists anymore, no
need to filter them).

Now add to both an C<autoMemberFilter> to match thoses users:

For locked users:
    autoMemberFilter: unexported=0
    autoMemberFilter: locked=*

For expired users:
    autoMemberFilter: unexported=0
    autoMemberFilter: expired=*

Now add to you C<sshd_config>:

    DenyGroups expired locked

where C<expired> and C<locked> are the name of both groups.

You're done, both groups will be update automatically according user's status
and C<sshd> will reject them.