At 4AM +0100 on 1/02/13 you (Daniel Parthey) wrote:
Hi Ben,
Ben Morrow wrote:
if (set->check_nologin) {/* skip entries that don't have a valid shell.they're again probably not real users. */if (strcmp(pw->pw_shell, "/bin/false") == 0 ||strcmp(pw->pw_shell, "/sbin/nologin") == 0 ||strcmp(pw->pw_shell, "/usr/sbin/nologin") == 0)return FALSE;}Valid shells are defined in /etc/shells and "locked" users, I would strongly discourage from hardcoding a list of no-login shells here.
That list isn't mine, my patch just moves that code from one part of the file to another and makes it conditional. Personally I don't think checking the shell is sensible at all, which is why I'm trying to make it optional.
Users locked with "passwd -l" can also be detected by a ! at the beginning of the password hash.
That is system-specific, and in any case you have to be root (and on non-BSD systems you have to make a shadow password call) to see the password field. The userdb shouldn't be doing that: locked users will already be prevented from logging in with a password because the password won't match. (Of course, this doesn't cover e.g. Kerberos logins, though I would usually lock a Kerberos user by telling the KDC not to issue tickets rather than by locking the passwd account.)
Ben