This module selectively allows all local accounts (accounts found in /etc/passswd) to change their password and prevents remote users (e.g users in ldap/nis+/yp etc) from changing their password using the passwd command.
Optionally, the module can consult a config file to display a notification message (useful for redirecting users to a different password changing facility etc).
pam_deny module, which is present in most linux/unix distributions provides universal denial of passwords. That is good if you want to disable password changing to ALL of the local accounts (including the superuser account). However, if you have a setup where a majority of the users are in an LDAP database and you have a different method to allow/sync their passwords, then pam_tdeny module is useful. I found myself in that same exact situation.
Download the module: pam_tdeny-0.1.tar.gz.
Once my subversion repository is available, I will stick the source there as well.
Bowse the code using svn: http://svn.tigr.org/pam_tdeny/trunk/
Standard GNU package install instructions apply. I have tested/built the package on Solaris 9 and SuSe 9.3 (2.6.8-24.18) using GCC 3.4. For Solaris, I have tested the native compiler (cc) as well.
#
#wget www.tigr.org/~rajeev/pam_tdeny-0.1.tar.gz
#gunzip -c pam_tdeny-0.1.tar.gz | tar xvf -
#cd pam_tdeny-0.1
#setenv CC gcc (or setenv CC cc - if you are on Solaris and prefer the native compiler)
#./configure --prefix=
#make
#make install --> must be done as root or superuser if you did not specify any prefix.
Add this to the PAM conf files
other password requisite pam_tdeny.so.1 file=/etc/pam_tdeny.conf
The file= specifier in the PAM Conf file is optional. If file= directive is not present, the module will look for /etc/pam_tdeny.conf. If that file is not present, then a default error message "Password Management is disabled on this host" will be used.
Specifying debug in the PAM conf file will cause debug messages to spew in syslog.
Could be useful.
My Email address is in the AUTHORS file. Go ahead and send me an email.
Technorati Tags: Linux, PAM, Solaris, LDAP