[Pkg-shadow-devel] Bug#389183: passwd -l to lock account in /etc/shadow as well as /etc/passwd (?)

Justin Pryzby justinpryzby at users.sourceforge.net
Mon Mar 5 20:57:55 CET 2007

Regarding Debian bug #389183:
 pam_unix: in 'account' mode, deny authorization if user's account is locked

The submitter claims that passwd -l should lock the account (as the
manpage claims), rather than lock the password.

Colin knows people that use passwd ! munge to enforce public key
authorization by disabling the password, while leaving the account
enabled (in the shadow file "expires on this many days after 1970"

Steve suggested that passwd -l expire the password in passwd and the
account in shadow; Nicolas implemented this.

Unfortunately I'm not sure how this helps.  Are we assuming that one
doesn't use passwd -l but rather vipw to enforce public key auth?
Otherwise the behavior change will suddenly begin to upset Colin's
people, right?

(sorry for long cc list)

More information about the Pkg-shadow-devel mailing list