[arch-general] pam settings INSECURE

Aaron Griffin aaronmgriffin at gmail.com
Wed Nov 18 09:23:03 EST 2009

On Tue, Nov 17, 2009 at 11:56 PM, Allan McRae <allan at archlinux.org> wrote:
> Caleb Cushing wrote:
>> so here's the problem I've discovered
>> http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-kdm.html
>> < links to arch bug included posting here because I believe both kde's
>> and arch's developers responses are less than satisfactory. This is a
>> security bug an easy to fix without making users lives more difficult.
> Oh no.  It has been 1 day and my "bug" is not fixed! I must blog about it so
> the world listens to me...
> "I shouldn't have to disable an account in more than 1 way to disable it
> across the board."
> Let see... one step procedures for disabling the user account
> 1) change password for that user
> 2) put an asterisk "*" at the beginning of the second field (before the
> encrypted password) in the file /etc/shadow.
> 3) set an account expiry date using chage
> 3) userdel is permanent one step procedure that works very well...
> #2 is my preferred.

As far as the people I know, passwd -d and passwd -l are the most
common ways to do this. They do NOT change the shell. Changing the
shell to lock out an account is laughable

More information about the arch-general mailing list