Linux locked accounts and PAM
Tomas Mraz
tmraz at redhat.com
Wed Oct 8 07:12:23 UTC 2008
On Wed, 2008-10-08 at 01:25 +0400, Dan Yefimov wrote:
> On 07.10.2008 2:40, Max Bowsher wrote:
> > I know about the special behaviour of "!" in a password field when SSH
> > is managing authentication itself. My point is that this special
> > behavior does NOT exist any more when SSH is authenticating via PAM -
> > but I want it to!
> >
> If SSH authentication does be performed via PAM (so called keyboard-interactive
> authentication), you do have that behaviour. But, IIRC, you perform
> authentication with SSH public key, which completely bypasses PAM infrastructure
> at the authentication stage regardless of 'UsePAM yes' setting, thus the result
> you observe. PAM has nothing to do with that. Please carefully read sshd_config
> manual.
Not really - sshd will call pam_acct_mgmt() even in case of public key
authentication. The problem is pam_unix checks just the expiration dates
of the shadow entry, not the password hash field contents.
I think we should do the same as sshd on Linux without PAM enabled - it
will reject just the accounts with password hash that starts with the
'!'. We would not reject the accounts with '*' in the password hash in
the shadow entry.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list