Linux locked accounts and PAM
Dan Yefimov
dan at nf15.lightwave.net.ru
Wed Oct 8 22:13:25 UTC 2008
On 08.10.2008 20:54, Les Mikesell wrote:
> Dan Yefimov wrote:
>>
>>>> No, I miss nothing here. Whatever prefix password hash begins with,
>>>> if the password hash derived from the string obtained from the user
>>>> isn't equal to what is contained in shadow, access is denied, no
>>>> matter why. Prefix differences among different systems is
>>>> unimportant here.
>>> But that has to do with authentication, not whether the account is
>>> locked.
>>
>> "Locking an account" here means "invalidating password hash". So
>> effectively that means "disabling password authentication for
>> account", nothing more.
>
> That would make sense if the password file was the one and only way to
> authenticate so you could usurp the concept to control the account - but
> it isn't when you use PAM...
>
We discuss here only pam_unix.so, for which the password file or it's equivalent
(provided with NSS) IS the only way :-)
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list