Caleb Cushing's Blog

Bypassing disabled accounts with KDM

So the most common way of disabling an account in a unix system is changing the users shell in /etc/passwd to /bin/false or /sbin/nologin. However, I’ve discovered on Arch Linux that if I do this only shell login’s are disabled, I was still able to log the user in with gui via kdm. I also tried using usermod –expiredate 1. this was not effective either however. the only way I found to lock the account from kdm login was to do a passwd -l accountname, which only locks password authentication. This means key and token authentication should still work. My real concern is that if the user was set to login without a password that it would still be bypass-able. My personal opinion is that I shouldn’t have to do more than 1 thing to disable a user account in a 100% effective manner. Currently Arch Linux (and maybe more) fails at this. I’ll post a fix later as I investigate further.

Bugs I filed are at kde and Arch Linux

EDIT: expire date worked… just not immediately, very odd.

EDIT: Here’s a proper /etc/pam.d/kde


#%PAM-1.0
auth required pam_nologin.so
auth required pam_unix.so nullok
auth required pam_shells.so
auth required pam_tally.so onerr=succeedfile=/var/log/faillog
account required pam_access.so
account required pam_time.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_env.so
session required pam_limits.so


Share

comments powered by Disqus