From owner-cvs-src@FreeBSD.ORG Sat Apr 28 13:18:04 2007 Return-Path: X-Original-To: cvs-src@FreeBSD.ORG Delivered-To: cvs-src@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C9EEB16A402; Sat, 28 Apr 2007 13:18:04 +0000 (UTC) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.freebsd.org (Postfix) with ESMTP id 5D00913C459; Sat, 28 Apr 2007 13:18:03 +0000 (UTC) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.11/8.12.11) with ESMTP id l3SDHneT051580; Sat, 28 Apr 2007 16:17:52 +0300 (EEST) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.11/8.12.11/Submit) id l3SDHnE6051577; Sat, 28 Apr 2007 16:17:49 +0300 (EEST) (envelope-from never) Date: Sat, 28 Apr 2007 16:17:49 +0300 From: Alexandr Kovalenko To: Yar Tikhiy Message-ID: <20070428131748.GA51455@nevermind.kiev.ua> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> <20070427162614.GG3991@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070427162614.GG3991@comp.chem.msu.su> User-Agent: Mutt/1.5.4i X-Virus-Scanned: ClamAV 0.85.1/3175/Sat Apr 28 13:17:34 2007 on kurush.osdn.org.ua X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (kurush.osdn.org.ua [127.0.0.1]); Sat, 28 Apr 2007 16:17:52 +0300 (EEST) Cc: cvs-src@FreeBSD.ORG, src-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2007 13:18:04 -0000 Hello, Yar Tikhiy! On Fri, Apr 27, 2007 at 08:26:14PM +0400, you wrote: > On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote: > > Hello, Yar Tikhiy! > > > > On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote: > > > > > yar 2007-04-26 06:39:01 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: (Branch: RELENG_6) > > > lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c > > > Log: > > > MFC: > > > pam_unix.c 1.52 > > > pam_unix.8 1.13 > > > > > > In account management, verify whether the account has been locked > > > with `pw lock', so that it's impossible to log into a locked account > > > using an alternative authentication mechanism, such as an ssh key. > > > This change affects only accounts locked with pw(8), i.e., having a > > > `*LOCKED*' prefix in their password hash field, so people still can > > > use a different pattern to disable password authentication only. > > > > Using the very same logic you should also add checking for '*', and for > > any other string, which cannot be in password hash of different > > algorithms. By the way, what if some crypto algorithm, which will be > > used for password hashing can produce hash, which contains substring > > '*LOCKED*' ? > > Please don't over-generalize. My change adds a check for a *LOCKED* > prefix only, which cannot appear in a password hash unless its current > format is broken. Neither an old DES hash nor a new multi-algorithm > hash can start with *LOCKED*. /sbin/nologin was used to disable logging in. There is also UsePAM option of sshd_config, why then UsePAM yes and UsePAM no should behave in a different way? > > But anyway, I think that it is not expected behavour of sshd/pam_unix. > > > > >From the pw manual page: > > > > USER LOCKING > > The pw utility supports a simple _password_ locking mechanism for > > users; it works by prepending the string `*LOCKED*' to the > > beginning of the password field in master.passwd to prevent > > successful authentication. > > > > Please note word _password_. There is nothing about locking _account_ > > completely. > > I believe account locking was implied in the days pw(8) was written. > > > Please consider reviewing this PR and, hopefully, back out this commit. > > At least for a lot of people - it is POLA violation. > > Just run adduser(8) and see how it implements account locking and > password auth disabling. That's the system policy my change is in > keeping with. That's the better argument, than pw(8). Agreee with you. But, then you should document it well, check every place where *LOCKED* is used in source code and, I suppose this change worth some HEADS UP or something like that. Beacuse this change is really may confuse ppl, who were relying on the "wrong" behavour for years. P.S. Fast and dirty search in sources showed only this: crypto/openssh/ChangeLog: "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and crypto/openssh/config.h:#define LOCKED_PASSWD_PREFIX "*LOCKED*" crypto/openssh/configure.ac: AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)]) crypto/openssh/sshd.8:.Ql \&*LOCKED\&* usr.sbin/adduser/adduser.8:.Dq Li *LOCKED* usr.sbin/pw/pw.8:.Ql *LOCKED* usr.sbin/pw/pw_user.c:static char locked_str[] = "*LOCKED*"; usr.sbin/pw/pw_user.c: * a "*LOCKED*" prefix from in front of the password to -- NEVE-RIPE, will build world for food Ukrainian FreeBSD User Group http://uafug.org.ua/