I keep running into these little annoyances in Linux. (And as I said here before, I love Linux, but there are some things which are just bad.) This time I was trying to see what happens if you lock an accound. You didn’t even know you could do that?
passwd -l
Do you know what syslog has to say about this?
Nov 14 16:35:12 zurich passwd[21226]: password for `test' changed by `root'
And even worse, if you unlock:
passwd -u
Linux says:
Nov 14 16:35:12 zurich passwd[21226]: password for `test' changed by `root'
Great! What am I supposed to do with this? Is a password change really the same as a lock out of a user?
To continue on the path of auditing and such, have you tried to configure an automatic lock-out after a certain amount of failed logins? Good luck. After a while you might find pam_telly. You have to use this PAM module to achive that lockout. You can configure after how many failed passwords an account gets locked. Again, why is this in such a hidden module? Why not built-in? Is anyone going to rebuild the authentication sub-system? Please? And if you are at it, rethink the whole logging infrastructure too! Don’t forget to use a common log format, a specific fixed format that enforces certain information and is parsable! Stop logging copyright messages into syslog (Ok: dhclient?).
Actually, it is. The standard way of locking out an account in Unix is to prepend to the encrypted password a character that is outside the set of valid characters produced by crypt(2). I used to do it manually by prepending and asterisk to the encrypted password, and passwd -l seems to do it by using an exclamation mark (at least in my Gentoo machine).
Comment by ZZamboni — January 28, 2007 @ 7:42 am