Linux locked accounts and PAM
Tomas Mraz
tmraz at redhat.com
Tue Oct 7 10:26:45 UTC 2008
On Tue, 2008-10-07 at 20:55 +1100, Darren Tucker wrote:
> Thorsten Kukuk wrote:
> > On Mon, Oct 06, Max Bowsher wrote:
> >
> >> I know about the special behaviour of "!" in a password field when SSH
> >> is managing authentication itself. My point is that this special
> >> behavior does NOT exist any more when SSH is authenticating via PAM -
> >> but I want it to!
> >
> > This seems to be a special behavior of ssh, I never saw this elsewhere.
>
> I implemented this in OpenSSH's sshd, based on user requests and
> language such as this in the man pages (this from passwd(1) in Fedora,
> but I suspect similar language exists elsewhere):
>
> -l This option is used to lock the specified account and it is
> available to root only. The locking is performed by rendering
> the encrypted password into an invalid string (by prefixing the
> encrypted string with an !).
...
> Agreed, when sshd is configured to use PAM it delegates such things
> to
> it (as far as possible, anyway) so PAM is the right place to do this.
> Personally I think pam_unix should do this check in the account stack
> (there's also special-case handling of the *NP* string, for example)
> but
> that's probably a matter of taste.
I agree that pam_unix should be modified to do this check in the account
phase. I'll write a patch later.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list