Linux locked accounts and PAM

Dan Yefimov dan at nf15.lightwave.net.ru
Wed Oct 8 11:43:12 UTC 2008


On Wed, 8 Oct 2008, Tomas Mraz wrote:

> On Wed, 2008-10-08 at 01:25 +0400, Dan Yefimov wrote:
> > On 07.10.2008 2:40, Max Bowsher wrote:
> > > I know about the special behaviour of "!" in a password field when SSH
> > > is managing authentication itself. My point is that this special
> > > behavior does NOT exist any more when SSH is authenticating via PAM -
> > > but I want it to!
> > >
> > If SSH authentication does be performed via PAM (so called keyboard-interactive 
> > authentication), you do have that behaviour. But, IIRC, you perform 
> > authentication with SSH public key, which completely bypasses PAM infrastructure 
> > at the authentication stage regardless of 'UsePAM yes' setting, thus the result 
> > you observe. PAM has nothing to do with that. Please carefully read sshd_config 
> > manual.
> Not really - sshd will call pam_acct_mgmt() even in case of public key
> authentication. The problem is pam_unix checks just the expiration dates
> of the shadow entry, not the password hash field contents.
> 
Password hash entry is implicitly checked at pam_authenicate() time, not at 
pam_acct_mgmt() time. But pam_authenticate() is not called during public key 
authentication. That's exactly what I said.

> I think we should do the same as sshd on Linux without PAM enabled - it
> will reject just the accounts with password hash that starts with the
> '!'. We would not reject the accounts with '*' in the password hash in
> the shadow entry.
> 
SSHD rejects such accounts while performing password verification. If the 
password hash for password provided by user isn't equal to what is contained in 
shadow, access is denied. That's simple. I think there is no reason to 
duplicate the job of auth stack compulsorily, but if somebody wants such 
duplication, let him specify special pam_unix command line option in account 
stack.
-- 

    Sincerely Your, Dan.




More information about the Pam-list mailing list