Linux locked accounts and PAM
Richard A Nelson
cowboy at vnet.ibm.com
Wed Oct 8 15:27:58 UTC 2008
Thorsten Kukuk wrote:
> On Wed, Oct 08, Solar Designer wrote:
>
>> Also, one has to deal with the password hash string, even if via the
>> proper tools, to configure an account like that. "usermod -L" and
>> "passwd -l" are "admin-friendly" approaches; there's no equivalent that
>> would be as friendly for "*-locking" (and "*-unlocking") an account.
>
> usermod -p '*' <account> works fine for me on openSUSE.
I'll wager that these also work (and explicitly document the use of !):
passwd -l <user> # lock
passwd -u <user> # unlock
The problem being discussed is due to the overloading of the password field
to also contain a 'locked' indicator - whereas things like 'expired' are
separate shadow fields.
I can't use ssh pwd auth, and am forced to use PAM, as my passwords are
validated against either KRB or LDAP (which are kept in sync) - and the LDAP
password is not in Linux format (so I use pam_ldap bind) ... All other
account data is in LDAP
As a consequence of the password storage, even root never sees a password:
#getent shadow cowboy
cowboy:*:14144:0:90:30:30::0
Unfortunately, this also means that I can't use the (quasi) standard tools
for lock/unlock :(
--
Rick
More information about the Pam-list
mailing list