On 08.10.2008 20:54, Les Mikesell wrote:
Dan Yefimov wrote:
No, I miss nothing here. Whatever prefix password hash begins with,
if the password hash derived from the string obtained from the user
isn't equal to what is contained in shadow, access is denied, no
matter why. Prefix differences among different systems is
unimportant here.
But that has to do with authentication, not whether the account is
locked.
"Locking an account" here means "invalidating password hash". So
effectively that means "disabling password authentication for
account", nothing more.
That would make sense if the password file was the one and only way to
authenticate so you could usurp the concept to control the account - but
it isn't when you use PAM...
We discuss here only pam_unix.so, for which the password file or it's equivalent
(provided with NSS) IS the only way :-)
--
Sincerely Your, Dan.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
