PAM auth with disabled user
Paul Moore
paul.moore at centrify.com
Fri Jan 13 06:45:27 EST 2006
Our test was with 4.1p1
I see that you display a message (if set). But then you proceed to
repromt even though the pam module returned a disabled error code.
I guess you are saying that the PAM module must tell the user they are
disabled.
-----Original Message-----
From: Darren Tucker [mailto:dtucker at zip.com.au]
Sent: Wednesday, January 11, 2006 1:12 AM
To: Paul Moore
Cc: openssh-unix-dev at mindrot.org
Subject: Re: PAM auth with disabled user
On Tue, Jan 10, 2006 at 01:50:52PM -0800, Paul Moore wrote:
> Is it intentional that password auth using PAM continues trying to log
> on (giving password 3 prompts) in the case that a user is disabled (so
> that pam_account returns an error code).
>
> It can be argued both ways (saying 'you are disabled' is giving out
> too much information, making it look like you are entering the wrong
> password confuses and frustrates the user)
Which version are you looking at? The last couple of versions will send
the output from PAM to the client under most conditions, and there are a
couple of fixes in the current development version that should fix the
remaining cases (those will be in the next release).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list