[gentoo-dev] locking user accounts doesn't really lock them.

[gentoo-dev] locking user accounts doesn't really lock them.

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 551 bytes --]

Right now, at least on Gentoo, if you lock a user's account with passwd -l
<username>, that user is still able to access their account if they have
ssh keys set up.  This is, in my mind, a fairly big security hole.
Googling, I found an issue related to the Solaris implementation of PAM[1]
that was fixed in a later version.

Does anyone know if there is a way to fix this in Gentoo and/or Linux?  (I
don't have access to any non-Gentoo linux boxen atm, so I can't say for
sure if this issue exists on other distros)  A tweak to PAM, perhaps?

--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] locking user accounts doesn't really lock them.

[Kevyn Shortell]

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

On Fri, 2003-10-31 at 13:27, Kurt Lieber wrote:
> Right now, at least on Gentoo, if you lock a user's account with passwd -l
> <username>, that user is still able to access their account if they have
> ssh keys set up.  This is, in my mind, a fairly big security hole.
> Googling, I found an issue related to the Solaris implementation of PAM[1]
> that was fixed in a later version.
> 
> Does anyone know if there is a way to fix this in Gentoo and/or Linux?  (I
> don't have access to any non-Gentoo linux boxen atm, so I can't say for
> sure if this issue exists on other distros)  A tweak to PAM, perhaps?
> 
> --kurt

It's often overlooked but a much easier method for locking a user out is
simply to change their default shell to /bin/false or something like it.
SSH keys or not, they won't be getting access to the box anytime soon
without a default shell.

kevyn

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] locking user accounts doesn't really lock them.

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 619 bytes --]

On Fri, Oct 31, 2003 at 01:55:13PM -0800 or thereabouts, Kevyn Shortell wrote:
> It's often overlooked but a much easier method for locking a user out is
> simply to change their default shell to /bin/false or something like it.
> SSH keys or not, they won't be getting access to the box anytime soon
> without a default shell.

A valid point, but iirc, this still allows the user to do things which
don't require an interactive shell.  (scp, for instance)  

Ideally, there is one simple way of *completely* locking out a user from a
machine, short of deleting their entry in /etc/(passwd|shadow)

--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] locking user accounts doesn't really lock them.

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 521 bytes --]

On Fri, Oct 31, 2003 at 05:01:17PM -0500 or thereabouts, Kurt Lieber wrote:
> Ideally, there is one simple way of *completely* locking out a user from a
> machine, short of deleting their entry in /etc/(passwd|shadow)

As was just pointed out to me on irc, expiring the account, as opposed to
locking the password, will do what I want.  So:

usermod -e 0000-00-00 <user>

I still think SSH should find a way to check/respect the ! character in
passwd fields, but for now, I can at least use this as a workaround.

--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] locking user accounts doesn't really lock them.

[Lisa Seelye]

[-- Attachment #1: Type: text/plain, Size: 349 bytes --]

On Fri, 2003-10-31 at 17:18, Kurt Lieber wrote:
> As was just pointed out to me on irc, expiring the account, as opposed to
> locking the password, will do what I want.  So:
> 
> usermod -e 0000-00-00 <user>

Will this leave the /etc/passwd entry intact?
-- 
Regards,
-Lisa
<Vix ulla tam iniqua pax, quin bello vel aequissimo sit potior>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] locking user accounts doesn't really lock them.

[Eldad Zack]

On Fri, 31 Oct 2003, Kurt Lieber wrote:

> On Fri, Oct 31, 2003 at 01:55:13PM -0800 or thereabouts, Kevyn Shortell wrote:
> > It's often overlooked but a much easier method for locking a user out is
> > simply to change their default shell to /bin/false or something like it.
> > SSH keys or not, they won't be getting access to the box anytime soon
> > without a default shell.
> 
> A valid point, but iirc, this still allows the user to do things which
> don't require an interactive shell.  (scp, for instance)  

I don't think that is the case - actually, I've managed to break scp by 
changing bashrc output.

scp does require the user to have a valid shell.

--
gentoo-dev@gentoo.org mailing list