> Looks like you're right. For some strange reason Linux PAM doesn't > bother checking for account status in pam_acct_mgmt() where Solaris > PAM does, for exactly this sort of reason. I wonder if there is a > patch to Linux PAM's pam_unix.so to make it work correctly for session > and account managment.
I got a little bored tonight watching TV and sitting on IRC so I wrote a little PAM module to fix the problem. It will check for locked shadow passwords during the pam_sm_acct_mgmt callback preventing locked users from obtaining a login even if they are using public/private key authentication. I've placed it at the following url with some instructions in case anyone is interested. http://users.netradius.com/~erikrj/pam_shadow_locked.tbz2 http://users.netradius.com/~erikrj/pam_shadow_locked/ -- Erik R. Jensen /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
