PAM-Authentication with regex

Hello all

I’ve implemented an application-authentication with “pam_pwdfile.so”. Now, it would be nice, that I can set a flag (ex. LOCKED) after the password-string in the usersfile, to define, if the account is locked or not. The usersfile looks like this:


[username]:[encrypted_password]

So, I’m searching for a PAM-module, which can readout the line and looks for the string “LOCKED”, to deny the application-access.
Any ideas or hints?

Thanks a lot.
Tom

There is already a convention for locking a password. The option that does it is -l in the passwd command and what it does is put a ! in front of the encrypted password in /etc/shadow. Such a crypted password will not match any entered password so you don’t have to read the password file and test for it separately, the password test will fail.

I don’t use unix-user-authentication.It is a own textfile, which contains all allowed users with their encrypted passwords. So I can’t use the “passwd”-command.

But surely you can use the same idea with pam_pwfile? You don’t need a separate module to do a separate test on the file, you just need to make the stored encrypted password invalid in any suitable way (like putting a ! in front of it, perhaps). Then it will definitely fail the test. So you don’t need another PAM module, you just need to write a program to edit the pw file and lock or unlock the password field.

Thanks a lot. This works fine. I placed a “!”-character between the username and the encrypted password, like this:


user:!:password

So, the pam_pwdfile-module interprets the “!”-character as a wrong password and the test will fail…

Thanks,
Tom