Selective blocking of password authentication

Darren J Moffat Darren.Moffat at Sun.COM
Sat Nov 2 10:53:58 EST 2002

On Tue, 29 Oct 2002, Frank Cusack wrote:

> If you're not willing to do the admin piece, then you can just lock
> those users accounts, this typically prefaces their crypted passwd
> entry with '!' thereby disabling password auth.  However, this will

*LK* in Solaris.

> break as PAM modules are fixed to check this in the account module.
> (Since the pubkey path correctly still does a PAM 'account' check.)
> I think Solaris 9 has this fixed, for one.

Yes pam_unix_acct now checks that the hashed password string isn't *LK*
so that locked accounts are locked for public key via ssh and for cron.

Darren J Moffat

More information about the openssh-unix-dev mailing list