[prev in list] [next in list] [prev in thread] [next in thread]
List: pkg-shadow-devel
Subject: [Pkg-shadow-devel] Re: pam_unix: in 'account' mode, deny authorization if user's account is locked
From: Steve Langasek <vorlon () debian ! org>
Date: 2006-09-25 1:16:35
Message-ID: 20060925011633.GF27707 () mauritius ! dodds ! net
[Download RAW message or body]
reassign 389183 libpam-modules,passwd
thanks
> I did some testing with a test user, ssh and a public key, and it seems
> that Steve Langasek is wrong, and pam_unix does not check to see if the
> password field is (or is prefixed by) a ! character.
I don't believe I ever said that pam_unix checks whether the password field
is prefixed by a ! character -- I said that pam_unix checks whether an
account is locked. Apparently, we're using a couple different definitions
of "locked" here.
"Locking" a user's account by munging the password field is a kludge that
overloads the meaning of this field. If you want to lock a Unix account
such that pam_unix's authorization checks recognize the account as locked,
there is an account expiry field in the shadow file that I believe is much
more appropriate for this.
But it seems that the passwd command doesn't have an option that will set
this field; it has "passwd -l" and "passwd -u", which manage the "!" in the
password field, and it has "passwd -e", which sets password expiry but *not*
account expiry.
Since, as Colin says, there are people who *expect* that editing the
password field only locks the password, not the account, and this has been
the behavior for, oh... about a decade now, I think it would be better if
the passwd -l/-u option would edit the shadow account expiry field *in
addition* to editing the password field as they do know. This would
maximize compatibility, while giving passwd -l semantics that more exactly
match the manpage documentation.
So I'm assigning this bug to both libpam-modules and passwd, to get input
from the shadow maintainers.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic