Linux locked accounts and PAM
Les Mikesell
les at futuresource.com
Thu Oct 9 08:13:40 UTC 2008
Dan Yefimov wrote:
>
>>>>> No, I miss nothing here. Whatever prefix password hash begins with,
>>>>> if the password hash derived from the string obtained from the user
>>>>> isn't equal to what is contained in shadow, access is denied, no
>>>>> matter why. Prefix differences among different systems is
>>>>> unimportant here.
>>>> But that has to do with authentication, not whether the account is
>>>> locked.
>>>
>>> "Locking an account" here means "invalidating password hash". So
>>> effectively that means "disabling password authentication for
>>> account", nothing more.
>>
>> That would make sense if the password file was the one and only way to
>> authenticate so you could usurp the concept to control the account - but
>> it isn't when you use PAM...
>>
> We discuss here only pam_unix.so, for which the password file or it's
> equivalent (provided with NSS) IS the only way :-)
There would not be much point to PAM if you could not use more than one
module for any particular operation. The relevant configuration would
be where you have alternate or additional modules for authentication
(ldap, smb, etc.) but you require pam_unix.so for valid local account
information - and locally the account is locked.
--
Les Mikesell
lesmikesell at gmail.com
More information about the Pam-list
mailing list