Linux locked accounts and PAM
Max Bowsher
maxb at f2s.com
Thu Oct 2 23:48:35 UTC 2008
Thorsten Kukuk wrote:
> On Thu, Oct 02, Max Bowsher wrote:
>
>> Hi,
>>
>> "Traditional" (pre-PAM) Linux software, like the 'shadow' package
>> providing tools such as /usr/bin/passwd, and OpenSSH in non-PAM mode
>> support the concept of a "locked" account being one whose crypted
>> password field starts with a "!" character.
>
> This has nothing to do with PAM.
Well, obviously. I'm describing the non-PAM behaviour that I then
proceed to explain I'd like to see in PAM too.
>> In particular, an account "locked" in this fashion becomes ineligible
>> for ssh logins by public key, as well as by password, when used in this
>> manner, when OpenSSH is not using PAM.
>>
>> I'd quite like to make use of this feature even when OpenSSH *is* using
>> PAM. Is there any existing way to configure PAM to respect this convention?
>
> On openSUSE you can use "usermod -L" or "passwd -l" for this.
Unless openSUSE has significantly different versions of these tools than
Debian/Ubuntu, then the way those commands work is *exactly what I'm
talking about* - they prepend a "!" character to the password.
Now, clearly, this blocks password-based logins. I am saying that it
should block logins by non-password means too (e.g. ssh pubkey), and
suggesting that the account-management part of pam_unix should consider
an account marked with a ! to be disabled (well, expired, I suppose,
since I don't see a locked/disabled return code in the pam headers.)
Max.
More information about the Pam-list
mailing list