Secure Developments

Bypassing disabled accounts with KDM

So the most common way of disabling an account in a unix system is changing the users shell in /etc/passwd to /bin/false or /sbin/nologin. However, I’ve discovered on Arch Linux that if I do this only shell login’s are disabled, I was still able to log the user in with gui via kdm. I also tried using usermod –expiredate 1. this was not effective either however. the only way I found to lock the account from kdm login was to do a passwd -l accountname, which only locks password authentication. Read more →