How to deny access to disabled AD accounts via kerberos in pam_krb5?

Posted by Phil on Server Fault See other posts from Server Fault or by Phil
Published on 2012-05-30T14:39:40Z Indexed on 2012/05/30 16:44 UTC
Read the original article Hit count: 244

Filed under:
|
|

I have a working AD/Linux/LDAP/KRB5 directory and authentication setup, with one small problem. When an account is disabled, SSH publickey authentication still allows user login.

It's clear that kerberos clients can identify a disabled account, as kinit and kpasswd return "Clients credentials have been revoked" with no further password / interaction.

Can PAM be configured (with "UsePAM yes" in sshd_config) to disallow logins for disabled accounts, where authentication is done by publickey? This doesn't seem to work:

account     [default=bad success=ok user_unknown=ignore] pam_krb5.so

Please don't introduce winbind in your answer - we don't use it.

© Server Fault or respective owner

Related posts about linux

Related posts about kerberos