Thorsten Kukuk wrote: > On Wed, Oct 08, Solar Designer wrote: > >> Also, one has to deal with the password hash string, even if via the >> proper tools, to configure an account like that. "usermod -L" and >> "passwd -l" are "admin-friendly" approaches; there's no equivalent that >> would be as friendly for "*-locking" (and "*-unlocking") an account. > > usermod -p '*' <account> works fine for me on openSUSE. I'll wager that these also work (and explicitly document the use of !): passwd -l <user> # lock passwd -u <user> # unlock The problem being discussed is due to the overloading of the password field to also contain a 'locked' indicator - whereas things like 'expired' are separate shadow fields. I can't use ssh pwd auth, and am forced to use PAM, as my passwords are validated against either KRB or LDAP (which are kept in sync) - and the LDAP password is not in Linux format (so I use pam_ldap bind) ... All other account data is in LDAP As a consequence of the password storage, even root never sees a password: #getent shadow cowboy cowboy:*:14144:0:90:30:30::0 Unfortunately, this also means that I can't use the (quasi) standard tools for lock/unlock :( -- Rick _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list