Linux locked accounts and PAM
Pavel Kankovsky
peak at argo.troja.mff.cuni.cz
Sun Oct 12 13:21:18 UTC 2008
On Tue, 7 Oct 2008, Darren Tucker wrote:
> (I did something of a survey at the time, and from memory there were
> other platforms like Solaris where locking the account would also affect
> non-password things like cron, but it's been a while so I could be wrong
> about the details).
Solaris has locked accounts and no-login accounts. The locked accounts
have a password hash starting with "*LK*", any logins to them are disabled
and no service including cron et al. should run anything under such an
account (this enforced by pam_unix_account on Solaris 10; I am not sure
about earlier versions). The no-login accounts have their hash set to "NP"
and password based logins to them are disabled but nothing else is
restricted.
HP-UX is able to distinguish between an account without an invalid
password hash (starting with an asterisk) and an administratively locked
account (with a flag in its extended account database in /tcb/... when it
runs in the so called trusted mode) but I do not know whether it handles
these two cases in a different way.
AIX can make the distinction too but it has multiple flags per user
account (in its extended user database in /etc/security/user). A flag
called "account_locked" disallows logins of any kind (but not cron et
al.), another flag called "daemon" allows cron et al. (but no logins). As
far as I can tell, an invalid password hash (or a missing passwd attribute
in the /etc/security/passwd) affects password based logins only.
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21th century edition /
More information about the Pam-list
mailing list