So the most common way of disabling an account in a unix system is changing the users shell in /etc/passwd to /bin/false or /sbin/nologin. However, I’ve discovered on Arch Linux that if I do this only shell login’s are disabled, I was still able to log the user in with gui via kdm. I also tried using usermod –expiredate 1. this was not effective either however. the only way I found to lock the account from kdm login was to do a passwd -l accountname, which only locks password authentication. This means key and token authentication should still work. My real concern is that if the user was set to login without a password that it would still be bypass-able. My personal opinion is that I shouldn’t have to do more than 1 thing to disable a user account in a 100% effective manner. Currently Arch Linux (and maybe more) fails at this. I’ll post a fix later as I investigate further.Bugs I filed are at kde and Arch LinuxEDIT: expire date worked… just not immediately, very odd.EDIT: Here’s a proper /etc/pam.d/kde#%PAM-1.0auth required pam_nologin.soauth required pam_unix.so nullokauth required pam_shells.soauth required pam_tally.so onerr=succeedfile=/var/log/faillogaccount required pam_access.soaccount required pam_time.soaccount required pam_unix.sopassword required pam_unix.sosession required pam_unix.sosession required pam_env.sosession required pam_limits.so– This work by Caleb Cushing is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Load comments