Issue 1771: SECURITY ISSUE: Users are still able to SSH after being removed from OpenID or LDAP
Status:  New
Owner: ----
Reported by docw...@gmail.com, Jan 25, 2013
Affected Version: 2.5.1

What steps will reproduce the problem?
1. disable a user in LDAP or OpenID
2. ssh as that user

What is the expected output? What do you see instead?

You can still access things at the permissions you had before the LDAP or OpenID account was disabled.

I expected the SSH access to fail.

This is a huge problem if an admin leaves a business, etc. since they would still have full access via SSH.

Please provide any additional information below.

There is issue #1061 for disabling accounts.  Adding a "disabled_at" column to the database would go a long way towards closing this hole.  It would still require either a script or person going into gerrit and disabling the account, but at least it would prevent people from SSH'ing into gerrit after they have left.
Jan 25, 2013
Project Member #1 edwin.ke...@gmail.com
You can manually set an account to inactive using the 'gerrit set-account' SSH command [1].

[1] http://gerrit-documentation.googlecode.com/svn/Documentation/2.5.1/cmd-set-account.html