Date: Sat, 4 Sep 2004 16:00:49 GMT From: Yar Tikhiy <yar@comp.chem.msu.su> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200409041600.i84G0nek022846@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: Yar Tikhiy <yar@comp.chem.msu.su> To: "Simon L. Nielsen" <simon@FreeBSD.org> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Sat, 4 Sep 2004 19:52:38 +0400 On Sat, Sep 04, 2004 at 05:13:14PM +0200, Simon L. Nielsen wrote: > On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote: > > On Wed, Sep 01, 2004 at 05:06:21PM +0200, Simon L. Nielsen wrote: > > > > > > Also a "*" in the password file does not prevent a user logging in > > > when authenticating via Kerberos. > > > > Will Kerberos authentication codepath check for ``*LOCKED*'' either? > > No, I actually think Kerberos telnetd will allow login just as long as > there is a user account and a valid Lerberos account/ticket. That's a manifestation of the problem I had in mind when opening this PR. Namely, there is a discrepancy between the existence of a system-wide policy for locking user accounts on the one hand and having to implement the said policy in each piece of software involved on the other hand. If we decide here that the policy does exist, it will seem reasonable to implement it where it belongs to, i.e. in setusercontext(). The function may check for ``*LOCKED*'' if invoked with LOGIN_SETLOGIN set and return an error correspondingly. With this approach, we could leave alone sshd, telnetd, login, su, X display managers, as well as any logon-related sw using the function. -- Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409041600.i84G0nek022846>