Date: Wed, 1 Sep 2004 10:40:23 GMT From: Ceri Davies <ceri@submonkey.net> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200409011040.i81AeNq2032212@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: Ceri Davies <ceri@submonkey.net> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org> Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Wed, 1 Sep 2004 11:32:06 +0100 On Wed, Sep 01, 2004 at 03:10:22AM +0000, Yar Tikhiy wrote: > However, I feel that the full blown prefix `*LOCKED*' should be > left for pw(8) purposes while just a leading asterisk may be > considered by sshd(8) as a sure sign of an account being locked. > E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO. I don't agree, Yar. I think that "pw lock" should be the canonical way to lock an account, that *LOCKED* should therefore be the string that ssh checks for on FreeBSD (pw has been doing this for nearly five years, so I believe that this is the defacto standard now), and that any other string should be interpreted as "fail password authentication" only. Whatever we choose, the string should be passed back to the OpenSSH team so that they can check for it. And this should all be documented as such, obviously ;-) Ceri -- It is not tinfoil, it is my new skin. I am a robot.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409011040.i81AeNq2032212>