Thorsten Kukuk wrote:
On Thu, Oct 02, Max Bowsher wrote:
Hi,
"Traditional" (pre-PAM) Linux software, like the 'shadow' package
providing tools such as /usr/bin/passwd, and OpenSSH in non-PAM mode
support the concept of a "locked" account being one whose crypted
password field starts with a "!" character.
This has nothing to do with PAM.
Well, obviously. I'm describing the non-PAM behaviour that I then
proceed to explain I'd like to see in PAM too.
In particular, an account "locked" in this fashion becomes ineligible
for ssh logins by public key, as well as by password, when used in this
manner, when OpenSSH is not using PAM.
I'd quite like to make use of this feature even when OpenSSH *is* using
PAM. Is there any existing way to configure PAM to respect this convention?
On openSUSE you can use "usermod -L" or "passwd -l" for this.
Unless openSUSE has significantly different versions of these tools than
Debian/Ubuntu, then the way those commands work is *exactly what I'm
talking about* - they prepend a "!" character to the password.
Now, clearly, this blocks password-based logins. I am saying that it
should block logins by non-password means too (e.g. ssh pubkey), and
suggesting that the account-management part of pam_unix should consider
an account marked with a ! to be disabled (well, expired, I suppose,
since I don't see a locked/disabled return code in the pam headers.)
Max.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
