[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

On Sun, May 15, 2005 at 11:19:12AM +1000, Brian May wrote:
> >>>>> "Marc" == Marc Haber <mh+debian-devel@zugschlus.de> writes:
>     Marc> If that option is switched off, an account created with
>     Marc> adduser --disabled-login is impossible to ssh into (log
>     Marc> entry "sshd[14704]: User testuser not allowed because
>     Marc> account is locked") while an account created with adduser
>     Marc> --disabled-password can ssh in fine via authorized_keys.

> I would speculate that the pam_unix module doesn't support checking
> the account is locked or not, it only checks to see if it can match
> the password.

That's incorrect.

> Is there any reason why pam_unix doesn't check if the account is
> locked?

It does, if you use the authorization checks in PAM.  If you only use the
authentication checks, then PAM is only going to authenticate the user --
not check whether they're allowed access.

> I also think it would be really "cool"(TM) if the system could display
> a message "password expired" or "account is locked" if the user
> successfully authenticates to the system but is unable to authorize
> the user to use the system. This saves the user wondering "did I use
> the correct password?", "Did I enter it in correctly?", etc.

This leaks information to attackers about the state of the account.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: