Linux locked accounts and PAM

[Darren Tucker]

Thorsten Kukuk wrote:
> On Mon, Oct 06, Max Bowsher wrote:
> 
>> I know about the special behaviour of "!" in a password field when SSH
>> is managing authentication itself. My point is that this special
>> behavior does NOT exist any more when SSH is authenticating via PAM -
>> but I want it to!
> 
> This seems to be a special behavior of ssh, I never saw this elsewhere.

I implemented this in OpenSSH's sshd, based on user requests and 
language such as this in the man pages (this from passwd(1) in Fedora, 
but I suspect similar language exists elsewhere):

  -l  This option is used to lock the specified account and it is
      available to root only. The locking is performed by rendering
      the encrypted  password into an invalid string (by prefixing the
      encrypted string with an !).

Note that is says that it locks the *account* not the *password*.

This was also consistent with other platforms (I did something of a 
survey at the time, and from memory there were other platforms like 
Solaris where locking the account would also affect non-password things 
like cron, but it's been a while so I could be wrong about the details).

> But on the other side, everything else uses the password for authentication,
> so this was not necessary.
> 
> Write your own account module which does the check for you. It's the
> same amount of work than to update all pam installations on all machines.

Agreed, when sshd is configured to use PAM it delegates such things to 
it (as far as possible, anyway) so PAM is the right place to do this. 
Personally I think pam_unix should do this check in the account stack 
(there's also special-case handling of the *NP* string, for example) but 
that's probably a matter of taste.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.