Re: Linux locked accounts and PAM

[Max Bowsher <maxb f2s com>]

Thorsten Kukuk wrote:
> On Thu, Oct 02, Max Bowsher wrote:
>
> > Hi,
> >
> > "Traditional" (pre-PAM) Linux software, like the 'shadow' package
> > providing tools such as /usr/bin/passwd, and OpenSSH in non-PAM mode
> > support the concept of a "locked" account being one whose crypted
> > password field starts with a "!" character.
>
> This has nothing to do with PAM.

Well, obviously. I'm describing the non-PAM behaviour that I then 
proceed to explain I'd like to see in PAM too.

> > In particular, an account "locked" in this fashion becomes ineligible
> > for ssh logins by public key, as well as by password, when used in this
> > manner, when OpenSSH is not using PAM.
> >
> > I'd quite like to make use of this feature even when OpenSSH *is* using
> > PAM. Is there any existing way to configure PAM to respect this convention?
>
> On openSUSE you can use "usermod -L" or "passwd -l" for this.

Unless openSUSE has significantly different versions of these tools than 
Debian/Ubuntu, then the way those commands work is *exactly what I'm 
talking about* - they prepend a "!" character to the password.

Now, clearly, this blocks password-based logins. I am saying that it 
should block logins by non-password means too (e.g. ssh pubkey), and 
suggesting that the account-management part of pam_unix should consider 
an account marked with a ! to be disabled (well, expired, I suppose, 
since I don't see a locked/disabled return code in the pam headers.)

Max.