LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-10-2008, 05:49 PM   #1
legcard
Member
 
Registered: May 2007
Posts: 33

Rep: Reputation: 15
pam.d system_auth nullok question


I have my pam.d setup on my RHEL 4.6 machines. I set up the system-auth with the following line:
password required pam_unix.so nullok use_authtok md5 shadow \
remember=5

I just need somebody to tell me if I am all wet or if I understand it correctly.

My understanding is that if a password for Joe expires, the /etc/shadow file drops the encrytped password for Joe, essentially, Joe has no password.

BUT when Joe tries to login, pam_unix.so sees that Joe has an account (/etc/passwd) but his encrypted password field in /etc/shadow is null. Joe is then allowed to enter a new password which must pass the pam_cracklib.so parameters (use_authtok). If the nullok was omitted from the pam_unix.so line in system_auth, then Joe would not be identified as a valid user with an expired password and would not be allowed to choose a new password.

So is that correct or am I dreaming?

I have read/bought every book I can find that explains PAM. The more I read, the more confused I get. Any help would be appreciated.

Linda
 
Old 03-11-2008, 12:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
Quote:
Originally Posted by legcard View Post
if a password for Joe expires, the /etc/shadow file drops the encrytped password for Joe
AFAIK it doesn't "drop" anything, a visual check of the fields should confirm that.


Quote:
Originally Posted by legcard View Post
If the nullok was omitted from the pam_unix.so line in system_auth, then Joe would not be identified as a valid user with an expired password
As I read it if "nullok" was omitted Joe would still be identified as a valid user since he has an account, but wouldn't have been allowed access to the service because of an empty pass.
 
Old 03-12-2008, 09:04 AM   #3
legcard
Member
 
Registered: May 2007
Posts: 33

Original Poster
Rep: Reputation: 15
OK, it sounds like I better do some more reading. I had that all tangled up.

I appreciate your response.
Linda
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Berkley db question. Regarding, pam database files/vsftpd. hunterhunter Linux - General 1 04-04-2006 01:23 PM
A question on installing Linux-PAM-0.80 satimis Linux From Scratch 2 08-24-2005 08:49 AM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-22-2004 11:07 PM
PAM/shadow question: How do I force the password to be changed? clacour Linux - Security 1 03-25-2004 01:31 AM
Pam Tally question Rig24 Linux - Security 5 03-05-2004 12:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration