On Tue, 7 Oct 2008, Darren Tucker wrote: > (I did something of a survey at the time, and from memory there were > other platforms like Solaris where locking the account would also affect > non-password things like cron, but it's been a while so I could be wrong > about the details). Solaris has locked accounts and no-login accounts. The locked accounts have a password hash starting with "*LK*", any logins to them are disabled and no service including cron et al. should run anything under such an account (this enforced by pam_unix_account on Solaris 10; I am not sure about earlier versions). The no-login accounts have their hash set to "NP" and password based logins to them are disabled but nothing else is restricted. HP-UX is able to distinguish between an account without an invalid password hash (starting with an asterisk) and an administratively locked account (with a flag in its extended account database in /tcb/... when it runs in the so called trusted mode) but I do not know whether it handles these two cases in a different way. AIX can make the distinction too but it has multiple flags per user account (in its extended user database in /etc/security/user). A flag called "account_locked" disallows logins of any kind (but not cron et al.), another flag called "daemon" allows cron et al. (but no logins). As far as I can tell, an invalid password hash (or a missing passwd attribute in the /etc/security/passwd) affects password based logins only. -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21th century edition / _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
