From owner-freebsd-bugs Mon Jan 27 3:35:51 2003 Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15B7037B401 for ; Mon, 27 Jan 2003 03:35:50 -0800 (PST) Received: from out005.verizon.net (out005pub.verizon.net [206.46.170.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5088A43E4A for ; Mon, 27 Jan 2003 03:35:49 -0800 (PST) (envelope-from mtm@identd.net) Received: from kokeb.ambesa.net ([138.88.50.143]) by out005.verizon.net (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with ESMTP id <20030127113548.RGMY16306.out005.verizon.net@kokeb.ambesa.net>; Mon, 27 Jan 2003 05:35:48 -0600 Date: Mon, 27 Jan 2003 06:35:47 -0500 From: Mike Makonnen To: "Dan Mahoney, System Admin" Cc: freebsd-bugs@FreeBSD.org Subject: Re: bin/47541: pw lock still allows access In-Reply-To: <20030127060511.J539-100000@prime.gushi.org> References: <200301271038.h0RAcBKq089737@freefall.freebsd.org> <20030127060511.J539-100000@prime.gushi.org> X-Mailer: Sylpheed version 0.8.6 (GTK+ 1.2.10; i386-portbld-freebsd5.0) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="::n:=.:Pp7I12.vS" X-Authentication-Info: Submitted using SMTP AUTH at out005.verizon.net from [138.88.50.143] at Mon, 27 Jan 2003 05:35:48 -0600 Message-Id: <20030127113548.RGMY16306.out005.verizon.net@kokeb.ambesa.net> Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --::n:=.:Pp7I12.vS Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Mon, 27 Jan 2003 06:06:12 -0500 (EST) "Dan Mahoney, System Admin" wrote: > And any potential freeBSD user who needs the manpage may not know that. > At the very least this should be listed in the BUGS section of the > manpage. > This is not a bug. Again, the keyword is "authentication". The purpose of modifying/locking the password field is so that the user can not use the passwd database to authenticate him/herself. This is very different from disallowing a user from loging into a system. To take your specific example, there are 2 ways by which a client loging into the system can ascertain that he is who he claims to be: the passwd database, and ssh authentication keys. By locking the passwd entry for that user you are in effect saying the client can no longer use the passwd database to login to this system. The only way he can be allowed into the system is if he provides a valid ssh key. Cheers. -- Mike Makonnen | GPG-KEY: http://www.identd.net/~mtm/mtm.asc mtm@identd.net | Fingerprint: D228 1A6F C64E 120A A1C9 A3AA DAE1 E2AF DBCC 68B9 --::n:=.:Pp7I12.vS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+NRmT2uHir9vMaLkRAlsBAJ9JU1eAymZidpEmflTFSUENRFQlSgCg6XQk JCw2h6vBnLNrOuIBrQo11ZY= =5kBu -----END PGP SIGNATURE----- --::n:=.:Pp7I12.vS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message