From owner-freebsd-bugs@FreeBSD.ORG  Wed Sep  1 11:10:24 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9686216A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  1 Sep 2004 11:10:24 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8DF4143D58
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  1 Sep 2004 11:10:24 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i81BAO3V036699
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 1 Sep 2004 11:10:24 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i81BAOus036698;
	Wed, 1 Sep 2004 11:10:24 GMT
	(envelope-from gnats)
Date: Wed, 1 Sep 2004 11:10:24 GMT
Message-Id: <200409011110.i81BAOus036698@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Ruslan Ermilov <ru@FreeBSD.org>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Ruslan Ermilov <ru@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2004 11:10:24 -0000

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Ruslan Ermilov <ru@FreeBSD.org>
To: Ceri Davies <ceri@submonkey.net>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 14:03:59 +0300

 On Wed, Sep 01, 2004 at 10:40:23AM +0000, Ceri Davies wrote:
 >  I don't agree, Yar.  I think that "pw lock" should be the canonical way
 >  to lock an account, that *LOCKED* should therefore be the string that ssh
 >  checks for on FreeBSD (pw has been doing this for nearly five years, so
 >  I believe that this is the defacto standard now), and that any other string
 >  should be interpreted as "fail password authentication" only.
 >  
 >  Whatever we choose, the string should be passed back to the OpenSSH team
 >  so that they can check for it.
 >  
 >  And this should all be documented as such, obviously ;-)
 >  
 Matching against the `*' prefix will also match the *LOCKED* prefix,
 so I don't personally see a big problem here.  But *LOCKED* looks
 nicer to me, and for anyone editing in vipw(8) anyway.
 
 
 Cheers,
 -- 
 Ruslan Ermilov
 ru@FreeBSD.org
 FreeBSD committer