Regarding Debian bug #389183: pam_unix: in 'account' mode, deny authorization if user's account is locked http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183
The submitter claims that passwd -l should lock the account (as the manpage claims), rather than lock the password. Colin knows people that use passwd ! munge to enforce public key authorization by disabling the password, while leaving the account enabled (in the shadow file "expires on this many days after 1970" field). Steve suggested that passwd -l expire the password in passwd and the account in shadow; Nicolas implemented this. Unfortunately I'm not sure how this helps. Are we assuming that one doesn't use passwd -l but rather vipw to enforce public key auth? Otherwise the behavior change will suddenly begin to upset Colin's people, right? Justin (sorry for long cc list) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
