This one time, at band camp, Steve Langasek said: > On Sat, Oct 27, 2007 at 03:12:45PM +0100, Stephen Gran wrote: > > > I've been working on the debconf.org machines, which use ud-ldap the > > same way the debian.org machines do. Currently what happens when an > > account is locked for wahtever reason is that the LDAP password > > field is updated with a special prefix to indicate this, but the > > password expiry field is not updated (this last is arguably a bug in > > ud-ldap). In order to work around this, DSA has been carrying > > around a patched sshd for years to check the password field for this > > special marker. The attached pam module would solve this, either as > > a standalone module, or (perhaps better) as something merged into > > pam_unix or the like. > > I really can't fathom why we would want to allow users to use > arbitrary prefixes to invalidate password field entries. That would > allow users to shoot themselves in the foot if they use any of the > base64 chars (valid leading chars in traditional crypt(3) passwords) > or $ (marker for md5 passwords), and could lead to incompatibilities > with future extensions.
Agreed. I don't think this is something that should be enabled by default. Part of the reason for writing it as a seperate module was my feeling that people should have to really think about it before enabling this check. > What is the marker that ud-ldap is using? The shadow "passwd" uses > '!' as a marker for locked accounts; supporting that particular marker > is already discussed in bug #389183. If ud-ldap is using a different > marker, we should probably talk about harmonizing the two. Currently I believe ud-ldap uses *LK* as the shadow password prefix to indicate that an account is locked. There is a patch in at least some trees to also check for ! as the prefix, but of course none of the trees are in sync in any meaningful way, so I have no idea if that's just debconf.org's ud-ldap, or if that is also in DSA's ud-ldap. In #389183, people made the very reasonable suggestion of having passwd update the account expiry information as an additional way to tell if the account is locked, but AFAICT, no check was added to PAM to check the shadow passwd prefix. I'm just asking for a way to check for a given prefix. If you think that only supporting ! as the shadow passwd lock prefix is reasonable, I'm OK with that - the patch for ud-ldap is fairly trivial. The point is that right now we have no way of checking shadow prefixes at all in the PAM suite, AFAIK. > As for this being a separate module, I don't believe that any module > other than pam_unix should be touching /etc/shadow (or getspnam()). I'm fine with merging the prefix test into pam_unix. I wrote it as a seperate module for essentially two reasons: I don't think this is something most sites will want, and it made testing much easier. Now that I've tested it enough to be sure it works, that reason is gone. Most sites will probably use passwd -l, which will update the account expiry field when an account is locked. Since pam_unix already checks that field, they wouldn't have a need for this test. It's only the (surprise) pathological case of ud-ldap that updates the shadow password field but doesn't update the account expiry field at the same time that would benefit from this. Thanks, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
