Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Sep 2005 10:16:28 +0100
From:      Ceri Davies <ceri@submonkey.net>
To:        Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc:        cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org
Subject:   Re: cvs commit: src/share/man/man5 passwd.5
Message-ID:  <20050920091628.GL4124@submonkey.net>
In-Reply-To: <20050919174017.GA38329@flame.pc>
References:  <200509181540.j8IFe2LR042274@repoman.freebsd.org> <20050918200104.F89636@ury.york.ac.uk> <20050918203109.GA1419@flame.pc> <20050918222401.GQ441@submonkey.net> <20050919122020.GA1759@flame.pc> <20050919165219.GB4124@submonkey.net> <20050919174017.GA38329@flame.pc>

next in thread | previous in thread | raw e-mail | index | archive | help

--i0/AhcQY5QxfSsSZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 19, 2005 at 08:40:17PM +0300, Giorgos Keramidas wrote:
> On 2005-09-19 17:52, Ceri Davies <ceri@submonkey.net> wrote:
> >
> > What I'm getting at is that some operating systems allow a special *FOO
> > string in their (equivalent of) master.passwd file in order to indicate
> > that sshd should not allow users with that string in their entry to log
> > in.
> >
> > For example, Solaris uses the string *NP* to indicate that a user has no
> > password - password authentication is therefore disabled for that user,
> > disallowing su, password-based ssh access, etc.  Cron jobs, key-based
> > auth, etc. continue to work.  It also supports *LK* which indicates that
> > an account is locked: in this case, cron jobs for the user will not be
> > run and ssh access is denied altogether.
> >
> > The ssh bit works because OpenSSH knows that it should be looking for
> > the string *LK* and denying access if it is there.  Search for
> > LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c.
> >
> > What I'm wondering is why OpenSSH doesn't know about *LOCKED*;  previous
> > discussions that I've had indicate that this is because we (the FreeBSD
> > project) haven't decided that *LOCKED* is canonical enough yet.
>=20
> Right.  This is exactly why I didn't even attempt to document anything
> to that effect.  I'm not sure what to write about, so I don't write
> something that is wrong :)

Fair enough :)

So does anyone think that feeding this back to the OpenSSH project makes
sense?

Ceri
--=20
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)

--i0/AhcQY5QxfSsSZ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDL9NsocfcwTS3JF8RAtF/AKCwwnmH/Xg3eGZh3iMbHIpj/TZ8kgCfbHvs
zzqz4KOJm6yiy/sBQzCxEkA=
=Q9G/
-----END PGP SIGNATURE-----

--i0/AhcQY5QxfSsSZ--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050920091628.GL4124>