Re: Linux locked accounts and PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-10-08 at 01:25 +0400, Dan Yefimov wrote:
> On 07.10.2008 2:40, Max Bowsher wrote:
> > I know about the special behaviour of "!" in a password field when SSH
> > is managing authentication itself. My point is that this special
> > behavior does NOT exist any more when SSH is authenticating via PAM -
> > but I want it to!
> >
> If SSH authentication does be performed via PAM (so called keyboard-interactive 
> authentication), you do have that behaviour. But, IIRC, you perform 
> authentication with SSH public key, which completely bypasses PAM infrastructure 
> at the authentication stage regardless of 'UsePAM yes' setting, thus the result 
> you observe. PAM has nothing to do with that. Please carefully read sshd_config 
> manual.
Not really - sshd will call pam_acct_mgmt() even in case of public key
authentication. The problem is pam_unix checks just the expiration dates
of the shadow entry, not the password hash field contents.

I think we should do the same as sshd on Linux without PAM enabled - it
will reject just the accounts with password hash that starts with the
'!'. We would not reject the accounts with '*' in the password hash in
the shadow entry.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux