Dan Yefimov wrote:
No, you're missing something: A password hash that begins with a !
character, by mostly undocumented but fairly widespread convention, has
a meaning beyond mere authentication - it denotes a completely locked
account. This semantic is expected by traditional Linux tools such as
those built from the 'shadow' source package of most Linux distros, and
extended tools such as Debian's 'adduser', which makes a distinction
between a disabled *account* and a disabled *password* and maps this to
the "!" vs. "*" convention.
No, I miss nothing here. Whatever prefix password hash begins with, if
the password hash derived from the string obtained from the user isn't equal to
what is contained in shadow, access is denied, no matter why. Prefix
differences among different systems is unimportant here.
But that has to do with authentication, not whether the account is locked.
That will break many existing installations. Solar Designer in his post
completely described why. And again, password hash checking is the job of auth
stack, not the account one. Account stack was designed to check and enforce
account restrictions, not the password hash, the more that there is no strict
standard on it.
But for systems with the widely-used ! convention for account locking,
shouldn't pam at least have an option to permit expected behavior in the
account phase?
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
