Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Linux locked accounts and PAM

From: Tomas Mraz (tmrazredhat.com)
Date: Wed Oct 08 2008 - 02:12:23 CDT

On Wed, 2008-10-08 at 01:25 +0400, Dan Yefimov wrote:
> On 07.10.2008 2:40, Max Bowsher wrote:
> > I know about the special behaviour of "!" in a password field when SSH
> > is managing authentication itself. My point is that this special
> > behavior does NOT exist any more when SSH is authenticating via PAM -
> > but I want it to!
> >
> If SSH authentication does be performed via PAM (so called keyboard-interactive
> authentication), you do have that behaviour. But, IIRC, you perform
> authentication with SSH public key, which completely bypasses PAM infrastructure
> at the authentication stage regardless of 'UsePAM yes' setting, thus the result
> you observe. PAM has nothing to do with that. Please carefully read sshd_config
> manual.
Not really - sshd will call pam_acct_mgmt() even in case of public key
authentication. The problem is pam_unix checks just the expiration dates
of the shadow entry, not the password hash field contents.

I think we should do the same as sshd on Linux without PAM enabled - it
will reject just the accounts with password hash that starts with the
'!'. We would not reject the accounts with '*' in the password hash in
the shadow entry.
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

Pam-list mailing list