login about faq

I have the user passwords locked so they cannot log in with password authentication. Is there a way for me to allow another authentication that would still allow them to log in via SSH?

asked Dec 21 '10 at 12:33

SSH%20KB's gravatar image


It is often desirable to lock the password of an account, but still allow the user to login via SSH using another authentication method, such as SSH public key authentication.

However, even when only public key authentication is enabled in the SSH Tectia Server config, Tectia will check the user's account and password to ensure the account is not locked. If it finds the account or password locked, Tectia will not allow the user to login.

Below is a method to configure SSH Tectia to use PAM to do account validation without verifying the user's password, thereby allowing server administrators the ability to allow users whose accounts are locked to login using another authentication method.

Configuring SSH Tectia Server

In the /etc/ssh2/ssh-server-config.xml file, please make sure the following settings are enabled.

Configure Tectia Server to Call PAM for Account Checking Only

  <!--Possible other params can be inserted here -->
      pam-account-checking-only="yes" />

<pluggable-authentication-modules pam-calls-with-commands="yes" />

Set Tectia Server to Allow the Chosen Authentication Method

Also in the /etc/ssh2/ssh-server-config.xml file.

  <authentication-methods login-grace-time="600">
   <!--Possible other authentication attributes or elements can be inserted here -->
    <authentication name="authentication">
     <!--Possible selectors can be inserted here-->
      <auth-publickey />      
   <!--Possible other authentication elements can be inserted here -->

Configure PAM to See the Users's Password as Optional

In the /etc/pam.d/ssh-server-g3 file (create one as below if necessary), set the following:

auth        required      /lib/security/$ISA/pam_env.so
auth        required    /lib/security/$ISA/pam_unix.so likeauth nullok
account    required    /lib/security/$ISA/pam_unix.so likeauth nullok
session    required      /lib/security/$ISA/pam_unix.so likeauth nullok

NOTE: The above PAM config file is from Red Hat Linux 3 - your config file may vary.

This configuration is provided as an example only, SSH does not provide technical support for how to configure PAM.


answered Dec 21 '10 at 12:38

SSH%20KB's gravatar image


edited Dec 21 '10 at 12:47

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Dec 21 '10 at 12:33

Seen: 5,761 times

Last updated: Mar 01 '11 at 19:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.