Date: Sat, 4 Sep 2004 19:10:28 GMT From: "Simon L. Nielsen" <simon@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200409041910.i84JASoQ046453@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Sat, 4 Sep 2004 21:03:02 +0200 --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.09.04 19:52:38 +0400, Yar Tikhiy wrote: > On Sat, Sep 04, 2004 at 05:13:14PM +0200, Simon L. Nielsen wrote: > > On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote: > > >=20 > > > Will Kerberos authentication codepath check for ``*LOCKED*'' either? > >=20 > > No, I actually think Kerberos telnetd will allow login just as long as > > there is a user account and a valid Lerberos account/ticket. >=20 > That's a manifestation of the problem I had in mind when opening > this PR. Namely, there is a discrepancy between the existence of > a system-wide policy for locking user accounts on the one hand and > having to implement the said policy in each piece of software > involved on the other hand. If we decide here that the policy does > exist, it will seem reasonable to implement it where it belongs to, > i.e. in setusercontext(). The function may check for ``*LOCKED*'' > if invoked with LOGIN_SETLOGIN set and return an error correspondingly. > With this approach, we could leave alone sshd, telnetd, login, su, > X display managers, as well as any logon-related sw using the function. While I have no idea if setusercontext() is the right place to check, something like what you propose sounds like a very good idea to me so there is consistent behavior. --=20 Simon L. Nielsen FreeBSD Documentation Team --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBOhFlh9pcDSc1mlERAphpAJ9YRkxK02PiWdnoUlQshzyJJb6BFwCgpzw3 m+3e4D1JbXjACAAtjOa3u3A= =Eu36 -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409041910.i84JASoQ046453>