Date: Tue, 31 Aug 2004 12:10:45 GMT From: Ruslan Ermilov <ru@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200408311210.i7VCAjOS048759@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: Ruslan Ermilov <ru@FreeBSD.org> To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Tue, 31 Aug 2004 15:07:57 +0300 Yar asked me to follow up here... As it turns out, this feature is available only in recent OpenSSH versions (I haven't investigated which version it first appeared in). I originally looked at the 4.x version of the sshd(8) manpage, and it didn't mention any such feature. In HEAD, OpenSSH provides this useful feature; here's a relevant excerpt from the sshd(8) manpage in HEAD: : Regardless of the authentication type, the account is : checked to ensure that it is accessible. An account is : not accessible if it is locked, listed in DenyUsers or : its group is listed in DenyGroups . The definition of : a locked account is system dependant. Some platforms have : their own account database (eg AIX) and some modify the : passwd field ( `*LK*' on Solaris, `*' on HP-UX, containing : `Nologin' on Tru64 and a leading `!!' on Linux). If there : is a requirement to disable password authentication for : the account while allowing still public-key, then the : passwd field should be set to something other than these : values (eg `NP' or `*NP*' ). For FreeBSD, I think the locking type should match the one used by pw(8): : USER LOCKING : The pw utility supports a simple password locking mechanism : for users; it works by prepending the string `*LOCKED*' : to the beginning of the password field in master.passwd : to prevent successful authentication. The lock and unlock : commands take a user name or uid of the account to lock : or unlock, respectively. The -V, -C, and -q options as : described above are accepted by these commands. That would be (in the patch form): %%% Index: configure.ac =================================================================== RCS file: /home/ncvs/src/crypto/openssh/configure.ac,v retrieving revision 1.9 diff -u -r1.9 configure.ac --- configure.ac 20 Apr 2004 09:46:39 -0000 1.9 +++ configure.ac 31 Aug 2004 12:05:17 -0000 @@ -264,6 +264,7 @@ ;; *-*-freebsd*) check_for_libcrypt_later=1 + AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*") ;; *-*-bsdi*) AC_DEFINE(SETEUID_BREAKS_SETUID) %%% Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408311210.i7VCAjOS048759>