[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

On Mon, May 16, 2005 at 08:22:26AM +1000, Brian May wrote:
> >>>>> "Steve" == Steve Langasek <vorlon@debian.org> writes:

>     Steve> It does, if you use the authorization checks in PAM.  If
>     Steve> you only use the authentication checks, then PAM is only
>     Steve> going to authenticate the user -- not check whether they're
>     Steve> allowed access.

> When you say "authorization checks" vs "authentication checks" what do
> you mean?

> PAM has the following sections "auth", "account", "password",
> "session". All of these are configured by default on Debian. The
> implication I got when reading Marc's post (or did I read too much
> into it?) is if ssh is configured to use PAM and if you use RSA based
> authentication, it won't detect if the account is locked.

> I fail to see where terms like "authorization" and "authentication"
> fit into its configuration scheme.

The PAM "auth" section is for authentication, and the "account" section is
for (account) authorization.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: