>>>>> "Marc" == Marc Haber <[EMAIL PROTECTED]> writes:
Marc> If that option is switched off, an account created with Marc> adduser --disabled-login is impossible to ssh into (log Marc> entry "sshd[14704]: User testuser not allowed because Marc> account is locked") while an account created with adduser Marc> --disabled-password can ssh in fine via authorized_keys. I would speculate that the pam_unix module doesn't support checking the account is locked or not, it only checks to see if it can match the password. However, as no password is used... Is there any reason why pam_unix doesn't check if the account is locked? Along similar lines, I have noticed general weirdness with pam_ldap. According to tests I just conducted (OK means login allowed, Fail means login failed): | password | RSA | courier-imap | openssh | openssh --------------------+--------------+---------+-------------------- expired password | OK | Fail[1] | Fail[2] account deactive[3] | Fail | Fail | OK ------------------------------------------------------------------ I find this inconsistency is very confusing. What happened (in my case) is most users on my system log in via courier-imap and never realize that their password has expired, because it continued working. Then they came to a trivial problem that took ages to fix because first I had to debug why ssh wouldn't let them log in using a password. I also find it incredible that an expired LDAP password will prevent RSA based log ins (WHY?), but a deactive account won't (WHY not?). I also think it would be really "cool"(TM) if the system could display a message "password expired" or "account is locked" if the user successfully authenticates to the system but is unable to authorize the user to use the system. This saves the user wondering "did I use the correct password?", "Did I enter it in correctly?", etc. Notes: [1] Nothing displayed to user, but following logged: May 15 10:46:24 snoopy sshd[15018]: error: PAM: User account has expired for jan from localhost [2] Automatically reverts to password based authentication which fails, but in this case it never displays the expired message. May 15 10:50:53 snoopy sshd[15846]: error: PAM: Authentication failure for jan from localhost [3] "Account deactivated" option in "LDAP Account Manager". I haven't worked out how this is stored in LDAP yet. No messages displayed to the user. -- Brian May <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]