Selective blocking of password authentication
Darren J Moffat
Darren.Moffat at Sun.COM
Sat Nov 2 10:53:58 EST 2002
On Tue, 29 Oct 2002, Frank Cusack wrote:
> If you're not willing to do the admin piece, then you can just lock
> those users accounts, this typically prefaces their crypted passwd
> entry with '!' thereby disabling password auth. However, this will
*LK* in Solaris.
> break as PAM modules are fixed to check this in the account module.
> (Since the pubkey path correctly still does a PAM 'account' check.)
>
> I think Solaris 9 has this fixed, for one.
Yes pam_unix_acct now checks that the hashed password string isn't *LK*
so that locked accounts are locked for public key via ssh and for cron.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list