Dan Yefimov wrote:
No, you're missing something: A password hash that begins with a ! character, by mostly undocumented but fairly widespread convention, has a meaning beyond mere authentication - it denotes a completely locked account. This semantic is expected by traditional Linux tools such as those built from the 'shadow' source package of most Linux distros, and extended tools such as Debian's 'adduser', which makes a distinction between a disabled *account* and a disabled *password* and maps this to the "!" vs. "*" convention.No, I miss nothing here. Whatever prefix password hash begins with, if the password hash derived from the string obtained from the user isn't equal to what is contained in shadow, access is denied, no matter why. Prefix differences among different systems is unimportant here.
But that has to do with authentication, not whether the account is locked.
That will break many existing installations. Solar Designer in his post completely described why. And again, password hash checking is the job of auth stack, not the account one. Account stack was designed to check and enforce account restrictions, not the password hash, the more that there is no strict standard on it.
But for systems with the widely-used ! convention for account locking, shouldn't pam at least have an option to permit expected behavior in the account phase?
--
Les Mikesell
lesmikesell gmail com