reassign 389183 libpam-modules,passwd thanks > I did some testing with a test user, ssh and a public key, and it seems > that Steve Langasek is wrong, and pam_unix does not check to see if the > password field is (or is prefixed by) a ! character.
I don't believe I ever said that pam_unix checks whether the password field is prefixed by a ! character -- I said that pam_unix checks whether an account is locked. Apparently, we're using a couple different definitions of "locked" here. "Locking" a user's account by munging the password field is a kludge that overloads the meaning of this field. If you want to lock a Unix account such that pam_unix's authorization checks recognize the account as locked, there is an account expiry field in the shadow file that I believe is much more appropriate for this. But it seems that the passwd command doesn't have an option that will set this field; it has "passwd -l" and "passwd -u", which manage the "!" in the password field, and it has "passwd -e", which sets password expiry but *not* account expiry. Since, as Colin says, there are people who *expect* that editing the password field only locks the password, not the account, and this has been the behavior for, oh... about a decade now, I think it would be better if the passwd -l/-u option would edit the shadow account expiry field *in addition* to editing the password field as they do know. This would maximize compatibility, while giving passwd -l semantics that more exactly match the manpage documentation. So I'm assigning this bug to both libpam-modules and passwd, to get input from the shadow maintainers. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
