On 04.10.2008 22:13, Scott Ruckh wrote:
That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check password hash at all. The matter is that SSH public key authentication can be used to bypass password hash based authentication and restrictions it may impose, i. e. it allows other host to connect as a service account for backup purpose, for example, while it's still impossible to log in as that account in general. So in order to disallow some user logging in one must also either modify sshd_config or rename ~user/.ssh/authorized_keys to reflect the logging in prohibition, in addition to locking that user password hash.Instead of prefixing hash with "!" use "*" instead. Still an impossible password hash, and will work with PKA.
-- Sincerely Your, Dan.