{"id":299,"date":"2009-10-09T23:27:06","date_gmt":"2009-10-09T23:27:06","guid":{"rendered":"https:\/\/www.bishnet.net\/tim\/blog\/?p=299"},"modified":"2010-11-11T13:01:22","modified_gmt":"2010-11-11T13:01:22","slug":"pam-locking-out-accounts-when-using-external-authentication","status":"publish","type":"post","link":"https:\/\/www.bishnet.net\/tim\/blog\/2009\/10\/09\/pam-locking-out-accounts-when-using-external-authentication\/","title":{"rendered":"PAM – Locking out accounts when using external authentication"},"content":{"rendered":"

One of the projects I’ve been working on lately has required me to investigate the way PAM handles external authentication. The setup is a bunch of different boxes running Solaris, Linux and FreeBSD, but all authenticating from a single central Kerberos domain. There’s also LDAP in the mix, but it’s not actually relevant, so I’ll ignore it for now.<\/p>\n

The problem comes when you want to lock out an account on a machine. By this, I mean the account still exists in the passwd file (for whatever reason, it needs to stay there) and the account still exists within the Kerberos domain because it can log on to other machines.<\/p>\n

What are the options? The PAM setup probably looks a little something like this:<\/p>\n

auth    sufficient pam_krb5\r\nauth    required   pam_unix\r\n\r\naccount required   pam_krb5\r\naccount required   pam_unix<\/pre>\n
This setup allows the user to authenticate with just their Kerberos credential, but they must pass both modules in the account section (the pam_krb5 one here doesn’t do much though).<\/p>\n
So we can put whatever we want in the shadow password entry on the machine, it won’t affect the authentication – it never even gets there. But what about the account section? Can this do anything?<\/p>\n
After some investigation and source code checking I came up with the following:<\/p>\n