On Sat, Oct 27, 2007 at 03:12:45PM +0100, Stephen Gran wrote: > Package: libpam-modules > Version: 0.99.7.1-5 > Severity: wishlist > Tags: patch
> I've been working on the debconf.org machines, which use ud-ldap the > same way the debian.org machines do. Currently what happens when an > account is locked for wahtever reason is that the LDAP password field is > updated with a special prefix to indicate this, but the password expiry > field is not updated (this last is arguably a bug in ud-ldap). In order > to work around this, DSA has been carrying around a patched sshd for > years to check the password field for this special marker. The attached > pam module would solve this, either as a standalone module, or (perhaps > better) as something merged into pam_unix or the like. I really can't fathom why we would want to allow users to use arbitrary prefixes to invalidate password field entries. That would allow users to shoot themselves in the foot if they use any of the base64 chars (valid leading chars in traditional crypt(3) passwords) or $ (marker for md5 passwords), and could lead to incompatibilities with future extensions. What is the marker that ud-ldap is using? The shadow "passwd" uses '!' as a marker for locked accounts; supporting that particular marker is already discussed in bug #389183. If ud-ldap is using a different marker, we should probably talk about harmonizing the two. As for this being a separate module, I don't believe that any module other than pam_unix should be touching /etc/shadow (or getspnam()). -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
