Date: Mon, 30 Aug 2004 15:00:50 GMT From: Ruslan Ermilov <ru@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200408301500.i7UF0oFd065431@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: Ruslan Ermilov <ru@freebsd.org> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: FreeBSD-gnats-submit@freebsd.org, des@freebsd.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Mon, 30 Aug 2004 17:59:48 +0300 On Mon, Aug 30, 2004 at 04:52:54PM +0400, Yar Tikhiy wrote: > > >Description: > In FreeBSD (and other BSDs,) the well-known way to lock out > a user's account is setting the user's encrypted password to > an asterisk character, `*', in master.passwd. Arguably, one > can also lock out a user by just _prefixing_ the password field > value with `*'. Anyway, sshd(8) will ignore either lock > and allow the user to log in if he authenticates himself by > means other than the Unix password, e.g., using his public key. > Yes, if sshd(8) is configured accordingly. > >Fix: > If we forget about PAM for a while, the bug exists because > src/crypto/openssh/configure.ac lacks description of account > locking for FreeBSD. It may be added to the OpenSSH source > tree or to the FreeBSD source tree, but in either case it's > a FreeBSD-specific issue. The fix is as follows: find the > FreeBSD-specific section (search for "freebsd") and add an AC > macro there specifying the lock method. It may be > > AC_DEFINE(LOCKED_PASSWD_STRING, "*") > > or > > AC_DEFINE(LOCKED_PASSWD_PREFIX, "*") > > depending on which "tradition" we decide to stick to. > > Why does PAM allows locked users in? That's another issue... > PAM does not -- it's the pubkey authentification that does. If you disable public key authentification method in sshd_config(5) (which is enabled by default) then only PAM will be used, and no user with locked password will be able to log in. What you're probably looking for is to set the PubkeyAuthentication and RSAAuthentication parameters to "no" in /etc/ssh/sshd_config. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408301500.i7UF0oFd065431>