| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
Thorsten Kukuk wrote:
On Thu, Oct 02, Max Bowsher wrote:Hi, "Traditional" (pre-PAM) Linux software, like the 'shadow' package providing tools such as /usr/bin/passwd, and OpenSSH in non-PAM mode support the concept of a "locked" account being one whose crypted password field starts with a "!" character.This has nothing to do with PAM.
Well, obviously. I'm describing the non-PAM behaviour that I then proceed to explain I'd like to see in PAM too.
In particular, an account "locked" in this fashion becomes ineligible for ssh logins by public key, as well as by password, when used in this manner, when OpenSSH is not using PAM. I'd quite like to make use of this feature even when OpenSSH *is* using PAM. Is there any existing way to configure PAM to respect this convention?On openSUSE you can use "usermod -L" or "passwd -l" for this.
Unless openSUSE has significantly different versions of these tools than Debian/Ubuntu, then the way those commands work is *exactly what I'm talking about* - they prepend a "!" character to the password.
Now, clearly, this blocks password-based logins. I am saying that it should block logins by non-password means too (e.g. ssh pubkey), and suggesting that the account-management part of pam_unix should consider an account marked with a ! to be disabled (well, expired, I suppose, since I don't see a locked/disabled return code in the pam headers.)
Max. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
|
|