I'm trying to set up Chef-managed accounts for a group of machines with the following characteristics:
- If there is no local account, login is blocked.
- If there is a local account with SSH keys, use those for authentication is possible.
- If there is a local account that has a local password, that password is used for authentication.
- If there is a local account with no local password, Kerberos is used.
I've got that much working.
But the last thing I want to be able to do is to disable login on the account by locally locking the password (e.g. using usermod -L). The problem is that when the local password is locked, PAM is falling back to Kerberos … and allowing access.
Is there a way to configure PAM so that if a local password exists but it is locked that it won't try Kerberos?
The best I can think of so far is to lock the account by clobbering the local password with something unguessable. But that is a bit crude, and doesn't play well if someone does not "follow the procedure" …
Best Answer
I agree with Michael Hampton's comments - you can and should use Kerberos to do this. But if you do want to do it by changing things on the local machine, here's a solution that should work.
In your
sshd_config, add the lineCreate a group named "blocked". When locking a user's local password, also add them to the group "blocked".
WARNING! This is a horribly ugly kludge that shouldn't exist in a sane world. It may, however, be useful in the one we live in.