On Sun, May 15, 2005 at 11:19:12AM +1000, Brian May wrote: > >>>>> "Marc" == Marc Haber <mh+debian-devel@zugschlus.de> writes: > > Marc> If that option is switched off, an account created with > Marc> adduser --disabled-login is impossible to ssh into (log > Marc> entry "sshd[14704]: User testuser not allowed because > Marc> account is locked") while an account created with adduser > Marc> --disabled-password can ssh in fine via authorized_keys. > I would speculate that the pam_unix module doesn't support checking > the account is locked or not, it only checks to see if it can match > the password. That's incorrect. > Is there any reason why pam_unix doesn't check if the account is > locked? It does, if you use the authorization checks in PAM. If you only use the authentication checks, then PAM is only going to authenticate the user -- not check whether they're allowed access. > I also think it would be really "cool"(TM) if the system could display > a message "password expired" or "account is locked" if the user > successfully authenticates to the system but is unable to authorize > the user to use the system. This saves the user wondering "did I use > the correct password?", "Did I enter it in correctly?", etc. This leaks information to attackers about the state of the account. -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature