locked account accessable via pubkey auth

Frank Cusack fcusack at fcusack.com
Thu Jan 31 11:10:26 EST 2002


On Wed, Jan 30, 2002 at 10:09:56AM -0600, Chris Adams wrote:
> Once upon a time, Dan Kaminsky <dan at doxpara.com> said:
> > > If it is locked, the users is not allowed to change his own password. So
> > he
> > > can not unlock it. You get a permission denied when trying to do so.
> > 
> > Actually, that's really useful and very cool!  Which platforms support this
> > behavior -- just recent Solaris, or most Unixen?
> 
> I think the old shadow-utils had the -l/-u options to passwd to lock and
> unlock a password.
> 
> I added them to the passwd command that Red Hat Linux uses several years
> ago and sent the patch to Red Hat (I don't know if other Linux
> distributions have it).
> 
> > Can a user lock their own account?
> 
> Remember, it is the password that is locked, not the account (that's
> what brought this thread up).  And no, users can't do this; only root is
> allowed to use -l/-u.

That's not what the RH-Linux man page says:

       -l     This option is used to lock the  specified  account

This is from a passwd-0.64.1-1, shadow-utils-19990827-10 system.

However, a quick look through the pam-0.72-20 sources shows that the account
is not locked; just the password (for both pam_pwdb and pam_unix).  ie,
pam_acct_mgmt() returns no error for an "account" locked with 'passwd -l'.

/fc




More information about the openssh-unix-dev mailing list