Date: Thu, 26 Apr 2007 17:44:18 +0400 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: Alexandr Kovalenko <never@nevermind.kiev.ua> Cc: Ceri Davies <ceri@submonkey.net>, cvs-src@freebsd.org, Yar Tikhiy <yar@freebsd.org>, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c Message-ID: <20070426134418.GO7358@codelabs.ru> In-Reply-To: <20070426105458.GA98415@nevermind.kiev.ua> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander, good day. Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote: > > In account management, verify whether the account has been locked > > with `pw lock', so that it's impossible to log into a locked account > > using an alternative authentication mechanism, such as an ssh key. > > This change affects only accounts locked with pw(8), i.e., having a > > `*LOCKED*' prefix in their password hash field, so people still can > > use a different pattern to disable password authentication only. > > Using the very same logic you should also add checking for '*', and for > any other string, which cannot be in password hash of different > algorithms. No, Yar is talking about the _locked_ accounts only. '*' means that user will not be able to authenticate with password. > By the way, what if some crypto algorithm, which will be > used for password hashing can produce hash, which contains substring > '*LOCKED*' ? We are not talking about the _substring_ -- we are talking about _prefix_. Look into your /etc/master.passwd -- every password starts with the '$<something>$' sequence that identifies the hashing algo. So _no_ valid password field will have anything that starts with '*' as the prefix. > But anyway, I think that it is not expected behavour of sshd/pam_unix. > > >From the pw manual page: > > USER LOCKING > The pw utility supports a simple _password_ locking mechanism for > users; it works by prepending the string `*LOCKED*' to the > beginning of the password field in master.passwd to prevent > successful authentication. > > Please note word _password_. There is nothing about locking _account_ > completely. It is arguably as the 'ps' page talks about passwords only, but can mean the accounts, because it was written with the password-auth in mind. Moreover, the next paragraph is: ----- The lock and unlock commands take a user name or uid of the account to lock or unlock, respectively. The -V, -C, and -q options as described above are accepted by these commands. ----- Note the 'account' word in it. > Please consider reviewing this PR and, hopefully, back out this commit. > At least for a lot of people - it is POLA violation. I think that it should be discuissed. Perhaps the Cerie's proposition should be takes as the basis. My two cents. -- Eygene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070426134418.GO7358>