Solved Locked account and su interplay

R

rdog

(Resolved by looking at code, but for posterity)

The handbook mentions that locking an account makes it impossible to login (alternative to /usr/sbin/nologin shell).

The `pw` manpage mentions locking prepends a magic string to the password field in the password file.

But I also experience that for a locked user, `su theuser command` says `su: Sorry`.

Tracing the code:
- https://github.com/freebsd/freebsd-...566b3b6eb46bcbbc68adf01f/usr.bin/su/su.c#L344
- ... https://github.com/freebsd/freebsd-src/blob/main/contrib/openpam/lib/libpam/openpam_dispatch.c#L61
- ... checking of PAM_ACCOUNT chain ... pam_load_module ...
- /etc/pam.d/su -> "account" includes system
- /etc/pam.d/system -> mentions pam_unix.so
- ... https://github.com/freebsd/freebsd-...f/lib/libpam/modules/pam_unix/pam_unix.c#L195, bingo

The user in case was used as a service user. So the rc.subr `su -m user ...` is also prevented for locked users. Okay, nologin only then.
 
rdog said:
The handbook mentions that locking an account makes it impossible to login (alternative to /usr/sbin/nologin shell).

But I also experience that for a locked user, `su theuser command` says `su: Sorry`.
Click to expand...
Yes, that is the entire point of locking an account.

Code: 
     A password of ‘*’ indicates that password authentication is disabled for
     that account (logins through other forms of authentication, e.g., using
     ssh(1) keys, will still work).  The field only contains encrypted
     passwords, and ‘*’ can never be the result of encrypting a password.

     An encrypted password prefixed by ‘*LOCKED*’ means that the account is
     temporarily locked out and no one can log into it using any
     authentication.  For a convenient command-line interface to account
     locking, see pw(8).
passwd(5)
 
You must log in or register to reply here.
Back
Top