SDB:Pam and locked accounts

Version: 11.1 -

Situation

You've got problems with locked accounts.

Procedure

passwd -l $user locks the account of a user (not the password), so that you can't log in anymore. Without shadow system this is achieved by prepending an exclamation mark in the password field in /etc/passwd. With shadow this has to be done in /etc/shadow. Now if you want to test whether an account is locked, you have to check /etc/shadow for the exclamation mark. And exactly this hasn't been done in the past. On the other hand there are people who used this behavior to for instance disallow ssh with password but allow it with public key encryption. An admin who expects a user account to be locked by passwd -l will not be amused by this behaviour. The case was also discussed on the PAM mailing list. The conclusion there was to not change pam_unix and live with the unexpected behaviour. Thorsten Kukuk changed our pam_unix2 so that locked accounts are indeed locked. Granted, the account module shouldn't check the password, but there is no other way if historically the locking of a user account was done by marking a password in a special way. Of cause this change has consequences for the user. For instance there are systems where system accounts have a exclamation mark instead of an asterisk in /etc/shadow. A su to such accounts will now fail, even when root executed it.

This changed behavior was noticed in openSUSE 11.2 and was fixed there by an update that restored the old behaviour:

Bug 556077 - su from root fails for locked accounts

This change was not carried over to Factory.

The correct solution is to leave out account management for root in /etc/pam.d/su bzw. /etc/pam.d/sul and this is exactly what was done in Factory. With this change expired user accounts will not lead to an error (we did have problems with those in ancient times).

The same solution was selected for openSUSE 11.3 and will be available as an update soon.