I have the user passwords locked so they cannot log in with password authentication. Is there a way for me to allow another authentication that would still allow them to log in via SSH?
asked Dec 21 '10 at 12:33
SSH KB ♦
It is often desirable to lock the password of an account, but still allow the user to login via SSH using another authentication method, such as SSH public key authentication.
However, even when only public key authentication is enabled in the SSH Tectia Server config, Tectia will check the user's account and password to ensure the account is not locked. If it finds the account or password locked, Tectia will not allow the user to login.
Below is a method to configure SSH Tectia to use PAM to do account validation without verifying the user's password, thereby allowing server administrators the ability to allow users whose accounts are locked to login using another authentication method.
Configuring SSH Tectia Server
Configure Tectia Server to Call PAM for Account Checking Only
<params> <!--Possible other params can be inserted here --> <settings pam-account-checking-only="yes" /> <pluggable-authentication-modules pam-calls-with-commands="yes" /> </params>
Set Tectia Server to Allow the Chosen Authentication Method
Also in the
<authentication-methods login-grace-time="600"> <!--Possible other authentication attributes or elements can be inserted here --> <authentication name="authentication"> <!--Possible selectors can be inserted here--> <auth-publickey /> </authentication> <!--Possible other authentication elements can be inserted here --> </authentication-methods>
Configure PAM to See the Users's Password as Optional
auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_unix.so likeauth nullok account required /lib/security/$ISA/pam_unix.so likeauth nullok session required /lib/security/$ISA/pam_unix.so likeauth nullok