How to deny access to disabled AD accounts via kerberos in pam_krb5?
Posted
by
Phil
on Server Fault
See other posts from Server Fault
or by Phil
Published on 2012-05-30T14:39:40Z
Indexed on
2012/05/30
16:44 UTC
Read the original article
Hit count: 248
I have a working AD/Linux/LDAP/KRB5 directory and authentication setup, with one small problem. When an account is disabled, SSH publickey authentication still allows user login.
It's clear that kerberos clients can identify a disabled account, as kinit and kpasswd return "Clients credentials have been revoked" with no further password / interaction.
Can PAM be configured (with "UsePAM yes" in sshd_config) to disallow logins for disabled accounts, where authentication is done by publickey? This doesn't seem to work:
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
Please don't introduce winbind in your answer - we don't use it.
© Server Fault or respective owner