[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Linux locked accounts and PAM
- From: Richard A Nelson <cowboy vnet ibm com>
- To: Pluggable Authentication Modules <pam-list redhat com>
- Subject: Re: Linux locked accounts and PAM
- Date: Wed, 08 Oct 2008 08:27:58 -0700
Thorsten Kukuk wrote:
> On Wed, Oct 08, Solar Designer wrote:
>
>> Also, one has to deal with the password hash string, even if via the
>> proper tools, to configure an account like that. "usermod -L" and
>> "passwd -l" are "admin-friendly" approaches; there's no equivalent that
>> would be as friendly for "*-locking" (and "*-unlocking") an account.
>
> usermod -p '*' <account> works fine for me on openSUSE.
I'll wager that these also work (and explicitly document the use of !):
passwd -l <user> # lock
passwd -u <user> # unlock
The problem being discussed is due to the overloading of the password field
to also contain a 'locked' indicator - whereas things like 'expired' are
separate shadow fields.
I can't use ssh pwd auth, and am forced to use PAM, as my passwords are
validated against either KRB or LDAP (which are kept in sync) - and the LDAP
password is not in Linux format (so I use pam_ldap bind) ... All other
account data is in LDAP
As a consequence of the password storage, even root never sees a password:
#getent shadow cowboy
cowboy:*:14144:0:90:30:30::0
Unfortunately, this also means that I can't use the (quasi) standard tools
for lock/unlock :(
--
Rick
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]