Changeset 1962

Timestamp:

02/21/17 21:26:40 (7 years ago)

Author:

nanardon

Message:

Add notice for SSH + keys

File:

• trunk/LATMOS-Accounts/man/man8/latmos-accounts-faq.pod (modified) (1 diff)

trunk/LATMOS-Accounts/man/man8/latmos-accounts-faq.pod

@@ -3 +3 @@
 =head1 INTRODUCTION
 
+The goal of this docmuentation is to give soo clue about how to manage usuall
+issue with this software.
+
 =head1 FAQ
 
+=head2 Denying to locked user to login using SSH with key
 
+There is no way on linux to deny to expired or locked user to login using ssh
+and ssh key because sshd simply skip the authentification step on PAM and both
+checks are done here.
+
+On way could be to change the shell, this is what is done for standard C<passwd>
+database but you immediatelly feel this method is ugly and complex to code.
+
+After some wonder about how to do here the solution found as the best.
+
+In C<sshd_config> you can define users and groups not allow to login, and
+because this is managed by C<sshd> itself it will work whatever the login method
+is used.
+
+In the L<LATMOS::Accounts> database create groups to match user's states one for
+locked user and one for expired users (unexported user don't exists anymore, no
+need to filter them).
+
+Now add to both an C<autoMemberFilter> to match thoses users:
+
+For locked users:
+    autoMemberFilter: unexported=0
+    autoMemberFilter: locked=*
+
+For expired users:
+    autoMemberFilter: unexported=0
+    autoMemberFilter: expired=*
+
+Now add to you C<sshd_config>:
+
+    DenyGroups expired locked
+
+where C<expired> and C<locked> are the name of both groups.
+
+You're done, both groups will be update automatically according user's status
+and C<sshd> will reject them.
+