Linux locked accounts and PAM
Les Mikesell
les at futuresource.com
Wed Oct 8 13:25:44 UTC 2008
Dan Yefimov wrote:
>
>> No, you're missing something: A password hash that begins with a !
>> character, by mostly undocumented but fairly widespread convention, has
>> a meaning beyond mere authentication - it denotes a completely locked
>> account. This semantic is expected by traditional Linux tools such as
>> those built from the 'shadow' source package of most Linux distros, and
>> extended tools such as Debian's 'adduser', which makes a distinction
>> between a disabled *account* and a disabled *password* and maps this to
>> the "!" vs. "*" convention.
>
> No, I miss nothing here. Whatever prefix password hash begins with, if
> the password hash derived from the string obtained from the user isn't equal to
> what is contained in shadow, access is denied, no matter why. Prefix
> differences among different systems is unimportant here.
But that has to do with authentication, not whether the account is locked.
> That will break many existing installations. Solar Designer in his post
> completely described why. And again, password hash checking is the job of auth
> stack, not the account one. Account stack was designed to check and enforce
> account restrictions, not the password hash, the more that there is no strict
> standard on it.
But for systems with the widely-used ! convention for account locking,
shouldn't pam at least have an option to permit expected behavior in the
account phase?
--
Les Mikesell
lesmikesell at gmail.com
More information about the Pam-list
mailing list