LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 09-17-2009, 02:59 PM   #1
ddxC
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Rep: Reputation: 0
/etc/shadow + pam.d configs -- Do they hate each other?


Hey all!

Quick RHEL 5.3 Question. If I am root and I am trying to find which users on my system are locked out I know that I should be able to just look in /etc/shadow to figure this out. There should be a single "!" denoted in front of an encrypted password for the accounts that are locked.
I know that I also can do a passwd -S username command and it will tell me if an account is locked. The PS field changes to LK if a user account is locked.

Ok so my question is in conjunction with what I said previously and with pam.d and all those fun modules like pam_tally and pam_sshd that are already configured and are working for me at least to some degree. So I have set my /pam.d/system-auth-ac config such that a user only has a certain number of login attempts before their account is locked. No problem there. That is working.

So my question is first if a user is locked out from their account due to the pam.d configs why are they given the oppurtunity to keep on attempting to login? Second, the user cannot login (even with the correct password without being unlocked by an admin) so why is there no indication in my /etc/shadow file denoting that they are locked out???

I may just not understand this all that well, but I think I have a pretty decent grasp here. Could someone throw some of their linux wisdom at me???

Thanks for any and all of your time trying to educate me!
 
Old 09-17-2009, 11:51 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
I believe( could be wrong) that the difference is that if root (manually/script) disables/locks an acct, that's permanent until it's manually unlocked, and this shows up in the shadow file.
pam just temporarily 'locks' an acct after N (usually 3) consecutive failed attempts. This does not show up in the shadow file, it's purely a pam issue.

Also, leading '!' is Linux, http://linux.die.net/man/1/passwd
LK is Solaris http://linuxshellaccount.blogspot.co...and-login.html
 
Old 09-18-2009, 02:31 AM   #3
ddxC
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Original Poster
Rep: Reputation: 0
I knew that the "LK" usually showed up on unix but it will show up if you use the passwd -S 'UserName' if it's locked. I don't know if the that's red hat specific.

But yea, thanks for the answer. That seems weird that pam locked accounts wouldn't show up in /etc/shadow. So do you or anyone else know how pam knows that an account is actually locked out if it doesn't show up in shadow?? It has got to keep track of it somewhere. If not shadow where?? I ask because I am being asked to write a script to summarize this information but I kind of need to know where it is logged.

Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I hate PAM Mistoffeles Linux - Server 15 04-02-2009 12:07 PM
Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating fuzzyworm Linux - Server 5 01-01-2009 04:29 PM
/etc/shadow- (notice the dash after the word shadow) shellcode Linux - Security 1 09-03-2004 05:54 AM
PAM/shadow question: How do I force the password to be changed? clacour Linux - Security 1 03-25-2004 02:31 AM
postfix + smtpauth + pam/shadow dazk Debian 0 07-30-2003 11:41 AM


All times are GMT -5. The time now is 12:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration