[SOLVED] SSH public key authentication still works for locked user
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSH public key authentication still works for locked user
Hi,
I have a RHEL 5.5 server.On this server there is an account named test for which I configured public key authentication and I am able to login from a remote server with this user without password.
The problem is when I lock this user with passwd -l or usermod -L ,I can still login from remote server. So it seems these commands only lock the shadow. Is there any way to prevent publickey authentication in this case.
Depends on how you manage user restrictions. If you set them in /etc/ssh/sshd_config you could use {Allow,Deny}{Users,Groups}. Else, if you don't like editing sshd_config each and every time, you could use a "pam_listfile.so onerr=fail item=user sense=deny file=/path/to/deny.file" in the SSH PAM stack and echo all denied user names into "/path/to/deny.file" one account per line.
I use neither of the restrictions you mentioned.
I am in charge of managing many servers with many users. When one user leaves the organisation I lock his/her user by usermod -L or passwd -l but seems it is not enough; because if he configured publickey authentication before he can still login to the server while his account is locked ,please correct me if I am wrong
Sure he can because test is using a separate login system, PKI. And test still has his public key. You need to rename or remove his private key(s) in /home/test/.ssh .
Be advised that it is never a good idea to make certs without a password. I know the point is to make passwordless logins, but don't give just anyone their public key. No one if possible, especially yourself as you are admin. :[
Just out of curiosity are you using ldap, or kerberos for normal auth? Are you making any use of selinux?
Last edited by Quantumstate; 08-26-2012 at 09:42 AM.
The point is users are able to edit their authorized_keys by themselves so after locking them they will be still able to login to the server. So I guess I will move or delete their .ssh directory in addition to locking their account after they left the company
They won't even be able to get in (from their remote client with their public key) if you rename their private key (on the server), so they wouldn't be able to edit their keys.
PKI with no cert password is not a good idea anyway, except in special circumstances like an rsync backup server, or reverse SSH tunnels. Best to do these though with a special user with a login shell of /bin/false .
Interesting. You might want to consider Kerberos if you're managing a number of machines and accounts. It gives centralized control and coherency.
As far as managing passwords on keys, that's what "ssh agent" programs are for. You supply the unlocking password for the key once.
Macintosh OS/X is rather nice in that it will conveniently store these passwords in the OS/X "keychain" of your choice. You don't have to remember the random, unguessable string of gobbledygook that is the actual certificate encryption key.
Never use an ssh certificate that is not encrypted.
Well, for certain automated actions over the LAN you pretty much have to make passwordless certs. No alternative. But coupling that with /bin/false shell mitigates, as long as the client machine is secure.
The following command will effectively deactivate one user (password and SSH key login):
Code:
$ sudo usermod --expiredate 1 <USERNAME>
From man passwd:
Code:
-l, --lock
...
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key).
To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.