Re: Linux locked accounts and PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2008-10-07 at 20:55 +1100, Darren Tucker wrote:
> Thorsten Kukuk wrote:
> > On Mon, Oct 06, Max Bowsher wrote:
> > 
> >> I know about the special behaviour of "!" in a password field when SSH
> >> is managing authentication itself. My point is that this special
> >> behavior does NOT exist any more when SSH is authenticating via PAM -
> >> but I want it to!
> > 
> > This seems to be a special behavior of ssh, I never saw this elsewhere.
> 
> I implemented this in OpenSSH's sshd, based on user requests and 
> language such as this in the man pages (this from passwd(1) in Fedora, 
> but I suspect similar language exists elsewhere):
> 
>   -l  This option is used to lock the specified account and it is
>       available to root only. The locking is performed by rendering
>       the encrypted  password into an invalid string (by prefixing the
>       encrypted string with an !).
...
> Agreed, when sshd is configured to use PAM it delegates such things
> to 
> it (as far as possible, anyway) so PAM is the right place to do this. 
> Personally I think pam_unix should do this check in the account stack 
> (there's also special-case handling of the *NP* string, for example)
> but 
> that's probably a matter of taste.

I agree that pam_unix should be modified to do this check in the account
phase. I'll write a patch later.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux