[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Account locking/unlocking

Once upon a time, Matt Drown wrote:
>At the same time you can do account locking by creating a user.permits
>file which is how I have done some things.
>auth       required     /lib/security/pam_listfile.so \
>                onerr=fail item=user sense=allow file=/etc/user.permit
>auth       required     /lib/security/pam_nologin.so
>auth       sufficient   /lib/security/pam_krb5.so
>auth       required     /lib/security/pam_pwdb.so shadow nullok use_first_pass
>A user needs to be in the user.permit file, or they are not allowed in.
>You can reverse this feature around and have a user.deny file if you want

The problem with this is that now the locking on the permit/deny file is
up to the admin.  I work for an ISP with close to 3000 accounts, and
tech support is in charge of adding/locking/deleting accounts.  When I
use useradd/usermod/userdel, they automatically lock all the correct
files when they do updates.  If I use a flat permit/deny text file, now
I have to write the locking routines and make sure that everything that
might write to the file uses the routines correctly.  We do have people
trying to update things at the same time, and without proper locking,
the file will get corrupted.
Chris Adams - cadams@ro.com
System Administrator - Renaissance Internet Services
I don't speak for anybody but myself - that's enough trouble.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []