cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c

Alexander Leidinger Alexander at Leidinger.net
Wed May 16 15:48:15 UTC 2007


Quoting Ceri Davies <ceri at submonkey.net> (Fri, 11 May 2007 16:25:00 +0100):

> On Fri, May 11, 2007 at 06:10:20PM +0400, Yar Tikhiy wrote:
> > On Tue, May 01, 2007 at 11:07:42PM +0400, Yar Tikhiy wrote:
> > > On Mon, Apr 30, 2007 at 02:46:18PM +0100, Ceri Davies wrote:
> > > > On Mon, Apr 30, 2007 at 05:42:28PM +0400, Yar Tikhiy wrote:
> > > > > On Mon, Apr 30, 2007 at 02:15:04PM +0100, Ceri Davies wrote:
> > > > > > 
> > > > > > Well, we currently have an *NP* case as per above, but not a *LK* case,
> > > > > > so I disagree somewhat.
> > > > > 
> > > > > Why?  Now *LOCKED* in FreeBSD is nearly the same as *LK* in Solaris
> > > > > with the only difference being that cron or at doesn't seem to care
> > > > > about it.  And a single asterisk works for us as *NP* does in
> > > > > Solaris, although it isn't a prefix, it occupies the whole password
> > > > > field.  Did I miss anything?
> > > > 
> > > > Well, because of the cron thing :)
> > > 
> > > If we want to propagate account locking semantics to cron and atrun,
> > > which is a good idea IMHO, we should avoid code duplication.  I
> > > haven't yet found a suitable place in src/lib to put the check at,
> > > but we need to find one as more checks can be done there, e.g.,
> > > that for expired account because expired accounts shouldn't run
> > > scheduled jobs either.  Any ideas?  Of course, the most obvious way
> > > is to add the respective function to libutil, but I'm still unsure
> > > if it's the best way.
> > 
> > I think I've finally got the clue.  It's -- surprise! -- PAM account
> > management via pam_unix(8).  PAM-ifying cron and atrun can do the
> > job.  Then they will also be able to respect nologin(5) etc via
> > pam.conf(5), and no more patches will be necessary.
> 
> Well that sounds like an excellent solution, thanks for volunteering,
> Yar :)

We can also put this up on the ideas page? Anyone with enough insight
into this volunteering to write a sensible entry for the ideas list?
Plain text would be ok in case you don't want to handle the markup.

Bye,
Alexander.

-- 
I try to keep an open mind, but not so open that my brains fall out.
		-- Judge Harold T. Stone
http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org     netchild @ FreeBSD.org  : PGP ID = 72077137


More information about the cvs-all mailing list