[Pkg-shadow-devel] Bug#389183: passwd -l to lock account in
/etc/shadow as well as /etc/passwd (?)
Justin Pryzby
justinpryzby at users.sourceforge.net
Mon Mar 5 20:57:55 CET 2007
Regarding Debian bug #389183:
pam_unix: in 'account' mode, deny authorization if user's account is locked
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183
The submitter claims that passwd -l should lock the account (as the
manpage claims), rather than lock the password.
Colin knows people that use passwd ! munge to enforce public key
authorization by disabling the password, while leaving the account
enabled (in the shadow file "expires on this many days after 1970"
field).
Steve suggested that passwd -l expire the password in passwd and the
account in shadow; Nicolas implemented this.
Unfortunately I'm not sure how this helps. Are we assuming that one
doesn't use passwd -l but rather vipw to enforce public key auth?
Otherwise the behavior change will suddenly begin to upset Colin's
people, right?
Justin
(sorry for long cc list)
More information about the Pkg-shadow-devel
mailing list