/etc/shadow + pam.d configs -- Do they hate each other?

ddxC · 09-17-2009, 01:59 PM

Hey all!

Quick RHEL 5.3 Question. If I am root and I am trying to find which users on my system are locked out I know that I should be able to just look in /etc/shadow to figure this out. There should be a single "!" denoted in front of an encrypted password for the accounts that are locked.
I know that I also can do a passwd -S username command and it will tell me if an account is locked. The PS field changes to LK if a user account is locked.

Ok so my question is in conjunction with what I said previously and with pam.d and all those fun modules like pam_tally and pam_sshd that are already configured and are working for me at least to some degree. So I have set my /pam.d/system-auth-ac config such that a user only has a certain number of login attempts before their account is locked. No problem there. That is working.

So my question is first if a user is locked out from their account due to the pam.d configs why are they given the oppurtunity to keep on attempting to login? Second, the user cannot login (even with the correct password without being unlocked by an admin) so why is there no indication in my /etc/shadow file denoting that they are locked out???

I may just not understand this all that well, but I think I have a pretty decent grasp here. Could someone throw some of their linux wisdom at me???

Thanks for any and all of your time trying to educate me!

chrism01 · 09-17-2009, 10:51 PM

I believe( could be wrong) that the difference is that if root (manually/script) disables/locks an acct, that's permanent until it's manually unlocked, and this shows up in the shadow file.
pam just temporarily 'locks' an acct after N (usually 3) consecutive failed attempts. This does not show up in the shadow file, it's purely a pam issue.

Also, leading '!' is Linux, http://linux.die.net/man/1/passwd
LK is Solaris http://linuxshellaccount.blogspot.co...and-login.html

ddxC · 09-18-2009, 01:31 AM

I knew that the "LK" usually showed up on unix but it will show up if you use the passwd -S 'UserName' if it's locked. I don't know if the that's red hat specific.

But yea, thanks for the answer. That seems weird that pam locked accounts wouldn't show up in /etc/shadow. So do you or anyone else know how pam knows that an account is actually locked out if it doesn't show up in shadow?? It has got to keep track of it somewhere. If not shadow where?? I ask because I am being asked to write a script to summarize this information but I kind of need to know where it is logged.

Thanks!