[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

>>>>> "Steve" == Steve Langasek <vorlon@debian.org> writes:

    Steve> It does, if you use the authorization checks in PAM.  If
    Steve> you only use the authentication checks, then PAM is only
    Steve> going to authenticate the user -- not check whether they're
    Steve> allowed access.

When you say "authorization checks" vs "authentication checks" what do
you mean?

PAM has the following sections "auth", "account", "password",
"session". All of these are configured by default on Debian. The
implication I got when reading Marc's post (or did I read too much
into it?) is if ssh is configured to use PAM and if you use RSA based
authentication, it won't detect if the account is locked.

I fail to see where terms like "authorization" and "authentication"
fit into its configuration scheme.

If I did misread Marc's post, and pam_unix does the right thing, this
doesn't excuse pam_ldap for not doing the right thing either (as shown
in my test results I already posted).

    Steve> This leaks information to attackers about the state of the
    Steve> account.

Only if the attackers are able to successfully authenticate as you. If
they can authenticate as you, then security is potentially lost
anyway, right? ...unless the solution to the error is to update the
password, but in that case leaking the information doesn't have any
downside.

Perhaps the only exception I can think of is if the account is locked
due to "too many login attempts" as opposed to "password expired" or
"account has expired" or some other predictable reason. Then, yes,
that would be a problem.
-- 
Brian May <bam@debian.org>
Reply to: