Changeset 1962
- Timestamp:
- 02/21/17 21:26:40 (7 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LATMOS-Accounts/man/man8/latmos-accounts-faq.pod
r1013 r1962 3 3 =head1 INTRODUCTION 4 4 5 The goal of this docmuentation is to give soo clue about how to manage usuall 6 issue with this software. 7 5 8 =head1 FAQ 6 9 10 =head2 Denying to locked user to login using SSH with key 7 11 12 There is no way on linux to deny to expired or locked user to login using ssh 13 and ssh key because sshd simply skip the authentification step on PAM and both 14 checks are done here. 15 16 On way could be to change the shell, this is what is done for standard C<passwd> 17 database but you immediatelly feel this method is ugly and complex to code. 18 19 After some wonder about how to do here the solution found as the best. 20 21 In C<sshd_config> you can define users and groups not allow to login, and 22 because this is managed by C<sshd> itself it will work whatever the login method 23 is used. 24 25 In the L<LATMOS::Accounts> database create groups to match user's states one for 26 locked user and one for expired users (unexported user don't exists anymore, no 27 need to filter them). 28 29 Now add to both an C<autoMemberFilter> to match thoses users: 30 31 For locked users: 32 autoMemberFilter: unexported=0 33 autoMemberFilter: locked=* 34 35 For expired users: 36 autoMemberFilter: unexported=0 37 autoMemberFilter: expired=* 38 39 Now add to you C<sshd_config>: 40 41 DenyGroups expired locked 42 43 where C<expired> and C<locked> are the name of both groups. 44 45 You're done, both groups will be update automatically according user's status 46 and C<sshd> will reject them. 47
Note: See TracChangeset
for help on using the changeset viewer.