Linux locked accounts and PAM
Dan Yefimov
dan at nf15.lightwave.net.ru
Tue Oct 7 22:20:13 UTC 2008
On 07.10.2008 14:26, Tomas Mraz wrote:
> On Tue, 2008-10-07 at 20:55 +1100, Darren Tucker wrote:
>> Thorsten Kukuk wrote:
>>> On Mon, Oct 06, Max Bowsher wrote:
>>>
>>>> I know about the special behaviour of "!" in a password field when SSH
>>>> is managing authentication itself. My point is that this special
>>>> behavior does NOT exist any more when SSH is authenticating via PAM -
>>>> but I want it to!
...
>> Agreed, when sshd is configured to use PAM it delegates such things
>> to
>> it (as far as possible, anyway) so PAM is the right place to do this.
>> Personally I think pam_unix should do this check in the account stack
>> (there's also special-case handling of the *NP* string, for example)
>> but
>> that's probably a matter of taste.
>
> I agree that pam_unix should be modified to do this check in the account
> phase. I'll write a patch later.
Please don't make that behaviour compulsory, that will break many installations.
It would be nice if it were controlled with some command line parameter of the
module.
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list