>>>>> "Steve" == Steve Langasek <[EMAIL PROTECTED]> writes:
Steve> It does, if you use the authorization checks in PAM. If Steve> you only use the authentication checks, then PAM is only Steve> going to authenticate the user -- not check whether they're Steve> allowed access. When you say "authorization checks" vs "authentication checks" what do you mean? PAM has the following sections "auth", "account", "password", "session". All of these are configured by default on Debian. The implication I got when reading Marc's post (or did I read too much into it?) is if ssh is configured to use PAM and if you use RSA based authentication, it won't detect if the account is locked. I fail to see where terms like "authorization" and "authentication" fit into its configuration scheme. If I did misread Marc's post, and pam_unix does the right thing, this doesn't excuse pam_ldap for not doing the right thing either (as shown in my test results I already posted). Steve> This leaks information to attackers about the state of the Steve> account. Only if the attackers are able to successfully authenticate as you. If they can authenticate as you, then security is potentially lost anyway, right? ...unless the solution to the error is to update the password, but in that case leaking the information doesn't have any downside. Perhaps the only exception I can think of is if the account is locked due to "too many login attempts" as opposed to "password expired" or "account has expired" or some other predictable reason. Then, yes, that would be a problem. -- Brian May <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]