[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

>>>>> "Marc" == Marc Haber <mh+debian-devel@zugschlus.de> writes:

    Marc> If that option is switched off, an account created with
    Marc> adduser --disabled-login is impossible to ssh into (log
    Marc> entry "sshd[14704]: User testuser not allowed because
    Marc> account is locked") while an account created with adduser
    Marc> --disabled-password can ssh in fine via authorized_keys.

I would speculate that the pam_unix module doesn't support checking
the account is locked or not, it only checks to see if it can match
the password. However, as no password is used...

Is there any reason why pam_unix doesn't check if the account is
locked?

Along similar lines, I have noticed general weirdness with pam_ldap.

According to tests I just conducted (OK means login allowed, Fail
means login failed):

                    | password               | RSA
                    | courier-imap | openssh | openssh 
--------------------+--------------+---------+--------------------
expired password    | OK           | Fail[1] | Fail[2]
account deactive[3] | Fail         | Fail    | OK
------------------------------------------------------------------

I find this inconsistency is very confusing. What happened (in my
case) is most users on my system log in via courier-imap and never
realize that their password has expired, because it continued
working. Then they came to a trivial problem that took ages to fix
because first I had to debug why ssh wouldn't let them log in using a
password.

I also find it incredible that an expired LDAP password will prevent
RSA based log ins (WHY?), but a deactive account won't (WHY not?).

I also think it would be really "cool"(TM) if the system could display
a message "password expired" or "account is locked" if the user
successfully authenticates to the system but is unable to authorize
the user to use the system. This saves the user wondering "did I use
the correct password?", "Did I enter it in correctly?", etc.

Notes:

[1] Nothing displayed to user, but following logged:

May 15 10:46:24 snoopy sshd[15018]: error: PAM: User account has expired for jan from localhost

[2] Automatically reverts to password based authentication which
fails, but in this case it never displays the expired message.

May 15 10:50:53 snoopy sshd[15846]: error: PAM: Authentication failure for jan from localhost

[3] "Account deactivated" option in "LDAP Account Manager". I haven't
worked out how this is stored in LDAP yet. No messages displayed to
the user.
-- 
Brian May <bam@debian.org>
Reply to: