From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5438 invoked by uid 1002); 31 Oct 2003 21:55:15 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 27024 invoked from network); 31 Oct 2003 21:55:15 -0000 From: Kevyn Shortell To: Kurt Lieber Cc: gentoo-dev@gentoo.org In-Reply-To: <20031031212727.GZ2395@mail.lieber.org> References: <20031031212727.GZ2395@mail.lieber.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-OORSYtYNAZiyMDOhpnIN" Organization: Message-Id: <1067637313.2158.15.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4- Date: 31 Oct 2003 13:55:13 -0800 Subject: Re: [gentoo-dev] locking user accounts doesn't really lock them. X-Archives-Salt: 1c5bb633-cb7b-47d8-917a-588258ad9513 X-Archives-Hash: 8edbda6ecef2ba98065ae320b10b9b4c --=-OORSYtYNAZiyMDOhpnIN Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2003-10-31 at 13:27, Kurt Lieber wrote: > Right now, at least on Gentoo, if you lock a user's account with passwd -= l > , that user is still able to access their account if they have > ssh keys set up. This is, in my mind, a fairly big security hole. > Googling, I found an issue related to the Solaris implementation of PAM[1= ] > that was fixed in a later version. >=20 > Does anyone know if there is a way to fix this in Gentoo and/or Linux? (= I > don't have access to any non-Gentoo linux boxen atm, so I can't say for > sure if this issue exists on other distros) A tweak to PAM, perhaps? >=20 > --kurt It's often overlooked but a much easier method for locking a user out is simply to change their default shell to /bin/false or something like it. SSH keys or not, they won't be getting access to the box anytime soon without a default shell. kevyn --=-OORSYtYNAZiyMDOhpnIN Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQA/otpBEv5Qt5rjz1YRAtQjAKCojW1xRmrFu+h9u7Pn4L5arOmqkwCg1PxV olIlLuZPndObnVCr3iMbWEU= =sWuy -----END PGP SIGNATURE----- --=-OORSYtYNAZiyMDOhpnIN--