Thorsten Kukuk wrote:
On Mon, Oct 06, Max Bowsher wrote:
I know about the special behaviour of "!" in a password field when SSH
is managing authentication itself. My point is that this special
behavior does NOT exist any more when SSH is authenticating via PAM -
but I want it to!
This seems to be a special behavior of ssh, I never saw this elsewhere.
I implemented this in OpenSSH's sshd, based on user requests and
language such as this in the man pages (this from passwd(1) in Fedora,
but I suspect similar language exists elsewhere):
-l This option is used to lock the specified account and it is
available to root only. The locking is performed by rendering
the encrypted password into an invalid string (by prefixing the
encrypted string with an !).
Note that is says that it locks the *account* not the *password*.
This was also consistent with other platforms (I did something of a
survey at the time, and from memory there were other platforms like
Solaris where locking the account would also affect non-password things
like cron, but it's been a while so I could be wrong about the details).
But on the other side, everything else uses the password for authentication,
so this was not necessary.
Write your own account module which does the check for you. It's the
same amount of work than to update all pam installations on all machines.
Agreed, when sshd is configured to use PAM it delegates such things to
it (as far as possible, anyway) so PAM is the right place to do this.
Personally I think pam_unix should do this check in the account stack
(there's also special-case handling of the *NP* string, for example) but
that's probably a matter of taste.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
