HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- SSH, PAM and locked accounts
Operating System - HP-UX
1833726
Members
2741
Online
110063
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2003 05:03 AM
10-15-2003 05:03 AM
SSH, PAM and locked accounts
Hello,
For several security programs reasons, I need to "lock" accounts via a "*" in the password field.
It works fine for login (telnet refused => good)
Meanwhile, I need to grant SSH access to those accounts (via RSA authentication).
The problem is there : PAM refuses to give a login session, as you can see in the error message below :
PAM rejected by account configuration[17]: User account has expired
How can I setup PAM to accept this kind of accounts ?
Thanks for your help,
For several security programs reasons, I need to "lock" accounts via a "*" in the password field.
It works fine for login (telnet refused => good)
Meanwhile, I need to grant SSH access to those accounts (via RSA authentication).
The problem is there : PAM refuses to give a login session, as you can see in the error message below :
PAM rejected by account configuration[17]: User account has expired
How can I setup PAM to accept this kind of accounts ?
Thanks for your help,
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2003 05:34 AM
10-15-2003 05:34 AM
Re: SSH, PAM and locked accounts
If you use passwd -l to lock the account you will get the refusal with no login attempt, just a message.
If however you use passwd -f, I think sshd will pick that up and force the user to change the password with the old password. If the user doesn't know what the old password is, the goal is achieved. If I understand the goal.
SEP
If however you use passwd -f, I think sshd will pick that up and force the user to change the password with the old password. If the user doesn't know what the old password is, the goal is achieved. If I understand the goal.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2003 08:42 AM
10-15-2003 08:42 AM
Re: SSH, PAM and locked accounts
My objective is to prevent telnet access on those accounts, with a "*" in the password field (no access, no aging), and to allow SSH access via RSA authentication only.
External tools force me to lock accounts by entering a "*" in the password field
And... ssh access does not work in this case, because ssh authentication is delegated to PAM (once SSH stuff is OK), where SSH authentication is based on the same mechanism as telnet (which prevent access if account is locked by "*")
Any suggestion to achieve my objective ?
Thanks,
External tools force me to lock accounts by entering a "*" in the password field
And... ssh access does not work in this case, because ssh authentication is delegated to PAM (once SSH stuff is OK), where SSH authentication is based on the same mechanism as telnet (which prevent access if account is locked by "*")
Any suggestion to achieve my objective ?
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2003 08:49 AM
10-15-2003 08:49 AM
Re: SSH, PAM and locked accounts
you could close the telnet connection possiblility by adding to /var/adm/inetd.sec and then do a passwd -f on the user the the user would only be abel to login though ssh.
If the external program you are talking about is the one doing '*' thing. Then you could just make a script to overright some were along the line :-).
If the external program you are talking about is the one doing '*' thing. Then you could just make a script to overright some were along the line :-).
jaton
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2003 09:01 AM
10-15-2003 09:01 AM
Re: SSH, PAM and locked accounts
An alternative is to install TCP-Wrappers: http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/ This will allow you to restrict access at a very detailed level.
TCP Wrappers will allow you to select which users and/or systems can access the inetd services like "login", "rlogin", "remsh", etc.
TCP Wrappers will allow you to select which users and/or systems can access the inetd services like "login", "rlogin", "remsh", etc.
jaton
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2003 09:08 AM
10-15-2003 09:08 AM
Re: SSH, PAM and locked accounts
Unfortunaly, I would have appreciated this kind of solution. But I must get a "*" in the password field, because of... security tools which are checking that (and I cannot change them !)... :-(
So I really need to find a way to get it work with SSH.
Note that I tried to lock the account with something like "AAA" in the password field, and everything is fine (telnet is out, SSH is OK). But I cannot leave this solution (because of other so-called "security" tools...:-(
=> so my question:
how can I get PAM authentication to accept access on locked account, once SSH authentication is OK ?
So I really need to find a way to get it work with SSH.
Note that I tried to lock the account with something like "AAA" in the password field, and everything is fine (telnet is out, SSH is OK). But I cannot leave this solution (because of other so-called "security" tools...:-(
=> so my question:
how can I get PAM authentication to accept access on locked account, once SSH authentication is OK ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2004 06:23 AM
08-09-2004 06:23 AM
Re: SSH, PAM and locked accounts
I m in exactly the same boat! I want to have a * in the password field, but still allow SSH to log in. I've been playing with the pam.conf, but that doesn't seemto do much for SSH.
Turning and turning in the widening gyre,
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP