5eaad9c nis: lock out accounts if nsAccountLock is TRUE

Authored and Committed by abbra 8 years ago
    nis: lock out accounts if nsAccountLock is TRUE
    
    Add a rule that adds two bang characters in front of the password.
    
    When the password algorithm is defined as CRYPT and NIS is used to
    authenticate users on other systems, there is no way to disable or lock
    accounts. Traditional convention has been to put two bang (exclamation)
    characters in front of the password, creating an impossible password
    hash. This effectively locks the user account, preventing
    authentication.
    
    All UNIX systems agree that for encrypted passwords presence of a
    character which cannot be part of CRYPT password scheme renders
    impossible to login to system with such password. However, not all
    systems have meaning of locked accounts and even how these locked
    accounts express themselves.
    
    There is certain controversy in what could be used to indicate locked
    accounts:
     - GNU/Linux systems expect '!' as first character of the password field
     - FreeBSD expects '*LOCKED*' string at start of the password field
     - Various Solaris versions expect '*LOCK*' string at start of the
       password field
     - NetBSD has no meaning of locked passwords via content of password field
    
    Given that it is impossible to serve NIS maps with encrypted passwords
    in a different way to different clients, standardize on '!!' scheme as
    traditional among UNIX administrators.
    
    Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1298478
    
        
file modified
+5 -5