I have a working AD/Linux/LDAP/KRB5 directory and authentication setup, with one small problem. When an account is disabled, SSH publickey authentication still allows user login.
It's clear that kerberos clients can identify a disabled account, as kinit and kpasswd return "Clients credentials have been revoked" with no further password / interaction.
Can PAM be configured (with "UsePAM yes" in sshd_config) to disallow logins for disabled accounts, where authentication is done by publickey? This doesn't seem to work:
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
Please don't introduce winbind in your answer – we don't use it.
Best Answer
I have read elsewhere other people asking for SSH to be "fixed" so that locked accounts can’t be logged into via SSH. (see Debian bug 219377) This request got rejected as a patch "because it breaks some expectations from users [who were] used to passwd -l only locking the passwd." (see Debian bug 389183) e.g. some people WANTED to be able to lock accounts from password logins, but still allow SSH key access.
PAM will not deny SSH key authentication to accounts which have just been locked (e.g. due to invalid password attempts, because SSH key authentication is designed to not pay any attention to the password field, which is where accounts are usually locked from.)
I understand that the password hash entry is implicitly checked at pam_authenicate() time, not at pam_acct_mgmt() time. pam_unix.so pam_sm_acct_mgmt() doesn't check the password hash at all, and pam_authenticate() is not called during public key authentication.
If your intention is to be able to centrally disable accounts from logging in, there are other possible workarounds, including:
Changing the login shell.
(re)moving their authorized_keys file.
Another option for denying access could be some use of DenyGroups or AllowGroups in the sshd_config. (then adding the user to a "sshdeny" group, or removing them from an "sshlogin" group to disable them from logging in.) ( read here: https://help.ubuntu.com/8.04/serverguide/user-management.html )
From http://web.archiveorange.com/archive/v/67CtqEoe5MhDqkDmUMuL I read: "The problem is pam_unix checks just the expiration dates of the shadow entry, not the password hash field contents." If this is true, would expiring the account rather than locking it do what you need?
The answer to your question is possibly "yes, if you're disabling them somewhere other than the password field"