OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Linux locked accounts and PAM

From: Max Bowsher (maxbf2s.com)
Date: Thu Oct 02 2008 - 18:48:35 CDT


Thorsten Kukuk wrote:
> On Thu, Oct 02, Max Bowsher wrote:
>
>> Hi,
>>
>> "Traditional" (pre-PAM) Linux software, like the 'shadow' package
>> providing tools such as /usr/bin/passwd, and OpenSSH in non-PAM mode
>> support the concept of a "locked" account being one whose crypted
>> password field starts with a "!" character.
>
> This has nothing to do with PAM.

Well, obviously. I'm describing the non-PAM behaviour that I then
proceed to explain I'd like to see in PAM too.

>> In particular, an account "locked" in this fashion becomes ineligible
>> for ssh logins by public key, as well as by password, when used in this
>> manner, when OpenSSH is not using PAM.
>>
>> I'd quite like to make use of this feature even when OpenSSH *is* using
>> PAM. Is there any existing way to configure PAM to respect this convention?
>
> On openSUSE you can use "usermod -L" or "passwd -l" for this.

Unless openSUSE has significantly different versions of these tools than
Debian/Ubuntu, then the way those commands work is *exactly what I'm
talking about* - they prepend a "!" character to the password.

Now, clearly, this blocks password-based logins. I am saying that it
should block logins by non-password means too (e.g. ssh pubkey), and
suggesting that the account-management part of pam_unix should consider
an account marked with a ! to be disabled (well, expired, I suppose,
since I don't see a locked/disabled return code in the pam headers.)

Max.

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list