locked account accessable via pubkey auth

Darren Moffat Darren.Moffat at eng.sun.com
Fri Feb 1 04:11:35 EST 2002

>On Wed, Jan 30, 2002 at 05:02:37PM -0800, Darren Moffat wrote:
>> New in Solaris 9 is pam_unix_account(5) which says:
>>      pam_unix_account provides functionality to the  PAM  account
>>      management  stack. The function pam(3PAM) function retrieves
>>      password aging information from the  repositories  specified
>>      in  nsswitch.conf(4),  and  verifies that the user's account
>>      and password have not expired.
>hmm... This seems broken.  If I want a certain service to check pam_unix,
>I list it in pam.conf.  Instead, I'm now supposed to call pam_unix_account()
>specifically?  Is pam_unix_account() somehow different than the normal
>pam account mgmt w/ pam_unix in pam.conf?  The intent of this (AFAICT) is
>so that an app can always check against pam_unix, regardless of what's in
>pam.conf -- broken.  Sorry, this is getting OT.

You completely missunderstood what pam_unix_account(5) is. The 5 is the
hint - it is a module not a function.  We have made no changes to
the API for applications or modules.

We took the big gob of pam_unix that we had from 2.6 though 8 and 
split it into smaller chunks to be more consistant with what is in the
Open Group spec and to make it easier for people to just replace the
password validation routines.

The new default pam.conf is attached.

>> passwd(1)'s description of the -l flag does still say:
>>      -l    Locks password entry for name.
>> Note that it doesn't say it locks the password it says locks the "password
>> entry", implying it disables access to the account.  I agree this could
>> be clearer - I'll see what I can do about getting it changed.
>Do you know if a patch will be available for Solaris 8?

I'll look into it.

Darren J Moffat
-------------- next part --------------
#ident	"@(#)pam.conf	1.20	02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login	auth requisite		pam_authtok_get.so.1
login	auth required		pam_dhkeys.so.1
login	auth required		pam_unix_auth.so.1
login	auth required		pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth required		pam_dhkeys.so.1
rlogin	auth required		pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other	auth requisite		pam_authtok_get.so.1
other	auth required		pam_dhkeys.so.1
other	auth required		pam_unix_auth.so.1
# passwd command (explicit because of a different authentication module)
passwd	auth required		pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron	account required	pam_projects.so.1
cron	account required	pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other	account requisite	pam_roles.so.1
other	account required	pam_projects.so.1
other	account required	pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other	session required	pam_unix_session.so.1
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin		auth optional		pam_krb5.so.1 try_first_pass
#login		auth optional		pam_krb5.so.1 try_first_pass
#other		auth optional		pam_krb5.so.1 try_first_pass
#cron		account optional 	pam_krb5.so.1
#other		account optional 	pam_krb5.so.1
#other		session optional 	pam_krb5.so.1
#other		password optional 	pam_krb5.so.1 try_first_pass

More information about the openssh-unix-dev mailing list