|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Thorsten Kukuk wrote:
On Mon, Oct 06, Max Bowsher wrote:I know about the special behaviour of "!" in a password field when SSH is managing authentication itself. My point is that this special behavior does NOT exist any more when SSH is authenticating via PAM - but I want it to!This seems to be a special behavior of ssh, I never saw this elsewhere.
I implemented this in OpenSSH's sshd, based on user requests and language such as this in the man pages (this from passwd(1) in Fedora, but I suspect similar language exists elsewhere):
-l This option is used to lock the specified account and it is available to root only. The locking is performed by rendering the encrypted password into an invalid string (by prefixing the encrypted string with an !). Note that is says that it locks the *account* not the *password*.This was also consistent with other platforms (I did something of a survey at the time, and from memory there were other platforms like Solaris where locking the account would also affect non-password things like cron, but it's been a while so I could be wrong about the details).
But on the other side, everything else uses the password for authentication, so this was not necessary. Write your own account module which does the check for you. It's the same amount of work than to update all pam installations on all machines.
Agreed, when sshd is configured to use PAM it delegates such things to it (as far as possible, anyway) so PAM is the right place to do this. Personally I think pam_unix should do this check in the account stack (there's also special-case handling of the *NP* string, for example) but that's probably a matter of taste.
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list