Locked users can connect using SSH keys

Hello,

Using Debian Jessie, configured with fusiondirectory repo : deb http://repos.fusiondirectory.org/debian-jessie jessie main Version installed is 1.0.9.1-1. Plugin SSH installed and fusiondirectory-plugin-ssh-schema installed/inserted on my SLAPD server.

I use a ssh-ldap-pubkey script on my servers to connect using public key authentication. When I lock a user in fusiondirectory, he can still connect to the server using his private key (no more sudo possible).

I think the way the user is locked is by adding a "! " to the encrypted password, so the ssh keys are not impacted... It could be OK to do the same thing on all the sshPublicKey attributes of the account ? ex : ssh-rsa !AAAAB3NzaC1yc2EAAAADAQABAAABAQD....

Or adding a keyword (diabled ?) at the begining of the key ? ex: disabled-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD....

Regards

(from redmine: issue id 4385, created on 2015-12-28, closed on 2016-01-22)

• Relations:
  • copied_to #4473
• Changesets:
  • Revision 5207c5fd by Côme Chilliet on 2016-01-21T03:25:56.000Z:

Fixes #4385 Ignoring disabled- prefix when parsing SSH keys

• Revision 16ec16e1 by Côme Chilliet on 2016-01-21T03:26:56.000Z:

Fixes #4385 Ignoring disabled- prefix when parsing SSH keys

• Revision 0c07fabb by Côme Chilliet on 2016-01-21T03:27:12.000Z:

Fixes #4385 Ignoring disabled- prefix when parsing SSH keys

• Custom Fields:
  • Bug in version: 1.0.9.1

Hum we could do that (adding the ! to the ssh key), can’t decide if it’s a good idea or not. Sadly it seems there is no way to filter locked users, as userPassword got no substr matching. Maybe we could add some other attribute to locked users to be able to filter them, but in latest FD version we want to stick to official schemas and I don’t think there is something for this :-/

In the mean time you can set the loginShell for these users to /bin/false or something like this to forbid them connection. (FD could do that automatically when locking but then it would lose the information of what the login shell was before locking)

(from redmine: written on 2016-01-04)

hello,

yes same feeling for me, i'am not sure about this, must look if ssh has a way to indicate that a key is disabled.

Cheers

(from redmine: written on 2016-01-04)

hello,

i dont wan't to do ssh-rsa !AAAA, so that out of the picture, because i dont want to change the ssh-key. i tested with disabled-ssh-rsa and effectively ssh key don't work anymore

so i think we can do this one:

disabled- in front of the key when we disable the user.

it will need fixing the display in the ssh tab of the user also

Cheers

(from redmine: written on 2016-01-20)

Ok, pushed this solution to all active branches and same on core with #4473 If you add an SSH key to an already locked user it won’t be disabled, you have to unlock/relock the user if you want the key to be modified.

(from redmine: written on 2016-01-21)

Close issue

(from redmine: written on 2016-01-22)

closed

added Security label

removed enhancement label

added ~1078 label

added FSA-0007 label and removed FSA-0008 label