Test for locked account in auth.c (bug #442).

[Martin MOKREJŠ]

On Wed, 8 Jan 2003, Darren Tucker wrote:

> Martin MOKREJ? wrote:
> [locked accounts]
> > For example OSF1 3.2 ==  DU4.0 == Tru64-5.X use
> > :*:, :*gfcXdf83E:, :*Nologin:, :Nologin*:, :Nologin:
> > in the password filed to denoted locked account. This also applies partly
> > to C2 security on those systems (when account is locked manually by
> > admin), it will be detected using this way too.
>
> I'm only interested in whatever "passwd -l" or its equivalent does to
> the passwd entry, so when an admin locks the account, it really is
> locked.  Any admin that hand-hacks /etc/passwd or equivalent is on their
> own.

I did not mean with "manually" hand-hacked. I meant more "by intention
using standand tools". Those examples and not hand-introduced locks.
For example, the :*Nologin: and :Nologin*: even fools DEC engineers, so
the account manager gui used to show lock icon on an account name only in one
of these two cases. I've checked the manpage and it still descscribes onlu
"*", but in EXAMPLES section is :Nologin:. It's just incomplete. The above
is a summary of real life cases.


> System accounts shouldn't ever have a $HOME/.ssh/authorized_keys file so
> they don't matter.
>
> > However, the so called
> > protected password database has special fields to mark locked accounts,
> > locked them based number of unsuccessful logins etc. Those cases of
> > course cannot be detected using any logic interpreting passwd file.
>
> Trusted HP-UX has those too (in /tcb) but the only sane way to use them
> seems to be via PAM.

Sure. Or use commandline utils. What about using them too? ;)

-- 
Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585