HPE Community
Operating System - HP-UX
1819736 Members
2809 Online
109606 Solutions
New Discussion юеВ

Re: pam kerberos and ssh PubkeyAuthentication

 
Denver Osborn
Honored Contributor

тАО11-14-2006 06:57 AM

тАО11-14-2006 06:57 AM

pam kerberos and ssh PubkeyAuthentication

I'm setting up a trusted system's pam.conf to use kerberos and the sshd_config for PAM. Problem I'm having is with ssh public-key auth. When the unix account is locked I can still get in using my public-key.

My sshd_config contains:
PasswordAuthentication no
PubkeyAuthentication yes
KerberosAuthentication no

My pam.conf is setup like so...
----
other auth required libpam_updbe.1 debug
other auth sufficient libpam_krb5.1 debug krb_prompt
other auth sufficient libpam_unix.1 debug try_first_pass

other account required libpam_updbe.1 debug
other account sufficient libpam_krb5.1 debug
other account required libpam_unix.1 debug

other session required libpam_updbe.1 debug
other session required libpam_krb5.1 debug
other session required libpam_unix.1 debug

other password required libpam_updbe.1 debug
other password sufficient libpam_krb5.1 debug krb_prompt ignore
other password required libpam_unix.1 debug try_first_pass

----

Any thoughts on what I'm missing? I saw a similar known problem that suggested using PAM_AUTHZ, but it was for PAM_LDAP...

Thanks!
-denver
0 Kudos
Reply
2 REPLIES 2
Christian Tremblay
Trusted Contributor

тАО11-14-2006 07:05 AM

тАО11-14-2006 07:05 AM

Re: pam kerberos and ssh PubkeyAuthentication

It's a known thing that ssh key authentication will let you login into a locked account.

I don't know if there is a way to disable that "feature"

Chris
0 Kudos
Reply
Evert Ladrak
Advisor

тАО11-14-2006 01:32 PM

тАО11-14-2006 01:32 PM

Re: pam kerberos and ssh PubkeyAuthentication

Denver,

I've never done this but I think you have to tell sshd that you want to use PAM rather then the plain passwd file.

ssh_config(5)
UsePAM 1

-ETL
Evert
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.