From owner-cvs-all@FreeBSD.ORG Thu Apr 26 11:46:41 2007 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 58E3816A403; Thu, 26 Apr 2007 11:46:41 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc3-cdif2-0-0-cust64.cdif.cable.ntl.com [81.106.128.65]) by mx1.freebsd.org (Postfix) with ESMTP id F11CB13C4BB; Thu, 26 Apr 2007 11:46:40 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1Hh2Qo-0002TS-E5; Thu, 26 Apr 2007 12:46:38 +0100 Date: Thu, 26 Apr 2007 12:46:38 +0100 From: Ceri Davies To: Alexandr Kovalenko Message-ID: <20070426114638.GC77408@submonkey.net> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PZYVFYZbFYjzBslI" Content-Disposition: inline In-Reply-To: <20070426105458.GA98415@nevermind.kiev.ua> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.15 (2007-04-06) Sender: Ceri Davies Cc: cvs-src@freebsd.org, Yar Tikhiy , src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 11:46:41 -0000 --PZYVFYZbFYjzBslI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote: > Hello, Yar Tikhiy! >=20 > On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote: >=20 > > yar 2007-04-26 06:39:01 UTC > >=20 > > FreeBSD src repository > >=20 > > Modified files: (Branch: RELENG_6) > > lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c=20 > > Log: > > MFC: > > pam_unix.c 1.52 > > pam_unix.8 1.13 > > =20 > > In account management, verify whether the account has been locked > > with `pw lock', so that it's impossible to log into a locked account > > using an alternative authentication mechanism, such as an ssh key. > > This change affects only accounts locked with pw(8), i.e., having a > > `*LOCKED*' prefix in their password hash field, so people still can > > use a different pattern to disable password authentication only. >=20 > Using the very same logic you should also add checking for '*', and for > any other string, which cannot be in password hash of different > algorithms. By the way, what if some crypto algorithm, which will be > used for password hashing can produce hash, which contains substring > '*LOCKED*' ? We really need to grow the same mechanism for this as Solaris has. The way that this works is: o If the password hash begins *NP* then the user has no password and password authentication will always fail. o If the password hash begins *LK* then the account is considered locked and all authentication fails. Also, cron and at will not run jobs for that user. o Anything else, the account is considered enabled (although of course, password checking can still fail if the hash is not valid). I couldn't care less what the strings actually are, but we should probably use *LOCKED* for the locked case, although I can see that we may wish to use something else to provide a somewhat backward compatible route - those who have been using the string *LOCKED* as stated in the pw manual would get the same behaviour that they do now. I am willing to work on this, but not without general agreement on the above. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --PZYVFYZbFYjzBslI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFGMJEeocfcwTS3JF8RAknjAKCRfcSvn/grYaZ6Qk+Sgi5hDXes3QCgnZj9 Fs8O0FK18ojGwyUaVo9g8f4= =8mOw -----END PGP SIGNATURE----- --PZYVFYZbFYjzBslI--