Bug#219377: pam_unix: in 'account' mode, deny authorization if user's account is locked
reassign 389183 libpam-modules,passwd
thanks
> I did some testing with a test user, ssh and a public key, and it seems
> that Steve Langasek is wrong, and pam_unix does not check to see if the
> password field is (or is prefixed by) a ! character.
I don't believe I ever said that pam_unix checks whether the password field
is prefixed by a ! character -- I said that pam_unix checks whether an
account is locked. Apparently, we're using a couple different definitions
of "locked" here.
"Locking" a user's account by munging the password field is a kludge that
overloads the meaning of this field. If you want to lock a Unix account
such that pam_unix's authorization checks recognize the account as locked,
there is an account expiry field in the shadow file that I believe is much
more appropriate for this.
But it seems that the passwd command doesn't have an option that will set
this field; it has "passwd -l" and "passwd -u", which manage the "!" in the
password field, and it has "passwd -e", which sets password expiry but *not*
account expiry.
Since, as Colin says, there are people who *expect* that editing the
password field only locks the password, not the account, and this has been
the behavior for, oh... about a decade now, I think it would be better if
the passwd -l/-u option would edit the shadow account expiry field *in
addition* to editing the password field as they do know. This would
maximize compatibility, while giving passwd -l semantics that more exactly
match the manpage documentation.
So I'm assigning this bug to both libpam-modules and passwd, to get input
from the shadow maintainers.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: