locked account accessable via pubkey auth
Frank Cusack
fcusack at fcusack.com
Thu Jan 31 11:10:26 EST 2002
On Wed, Jan 30, 2002 at 10:09:56AM -0600, Chris Adams wrote:
> Once upon a time, Dan Kaminsky <dan at doxpara.com> said:
> > > If it is locked, the users is not allowed to change his own password. So
> > he
> > > can not unlock it. You get a permission denied when trying to do so.
> >
> > Actually, that's really useful and very cool! Which platforms support this
> > behavior -- just recent Solaris, or most Unixen?
>
> I think the old shadow-utils had the -l/-u options to passwd to lock and
> unlock a password.
>
> I added them to the passwd command that Red Hat Linux uses several years
> ago and sent the patch to Red Hat (I don't know if other Linux
> distributions have it).
>
> > Can a user lock their own account?
>
> Remember, it is the password that is locked, not the account (that's
> what brought this thread up). And no, users can't do this; only root is
> allowed to use -l/-u.
That's not what the RH-Linux man page says:
-l This option is used to lock the specified account
This is from a passwd-0.64.1-1, shadow-utils-19990827-10 system.
However, a quick look through the pam-0.72-20 sources shows that the account
is not locked; just the password (for both pam_pwdb and pam_unix). ie,
pam_acct_mgmt() returns no error for an "account" locked with 'passwd -l'.
/fc
More information about the openssh-unix-dev
mailing list