Linux locked accounts and PAM

Dan Yefimov dan at nf15.lightwave.net.ru
Wed Oct 8 14:31:51 UTC 2008


On Wed, 8 Oct 2008, Les Mikesell wrote:

> > No, I miss nothing here. Whatever prefix password hash begins with, if 
> > the password hash derived from the string obtained from the user isn't equal to 
> > what is contained in shadow, access is denied, no matter why. Prefix 
> > differences among different systems is unimportant here.
> 
> But that has to do with authentication, not whether the account is locked.

"Locking an account" here means "invalidating password hash". So effectively 
that means "disabling password authentication for account", nothing more.
 
> > That will break many existing installations. Solar Designer in his post 
> > completely described why. And again, password hash checking is the job of auth 
> > stack, not the account one. Account stack was designed to check and enforce 
> > account restrictions, not the password hash, the more that there is no strict 
> > standard on it.
> 
> But for systems with the widely-used ! convention for account locking, 
> shouldn't pam at least have an option to permit expected behavior in the 
> account phase?
> 
Probably yes, but only as an option not enabled by default.
-- 

    Sincerely Your, Dan.




More information about the Pam-list mailing list