From owner-freebsd-bugs@FreeBSD.ORG  Sat Sep  4 16:00:50 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5815116A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  4 Sep 2004 16:00:50 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4C23943D39
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  4 Sep 2004 16:00:50 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i84G0ojR022847
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 4 Sep 2004 16:00:50 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i84G0nek022846;
	Sat, 4 Sep 2004 16:00:49 GMT
	(envelope-from gnats)
Date: Sat, 4 Sep 2004 16:00:49 GMT
Message-Id: <200409041600.i84G0nek022846@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Yar Tikhiy <yar@comp.chem.msu.su>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Yar Tikhiy <yar@comp.chem.msu.su>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Sep 2004 16:00:50 -0000

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: "Simon L. Nielsen" <simon@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Sat, 4 Sep 2004 19:52:38 +0400

 On Sat, Sep 04, 2004 at 05:13:14PM +0200, Simon L. Nielsen wrote:
 > On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote:
 > > On Wed, Sep 01, 2004 at 05:06:21PM +0200, Simon L. Nielsen wrote:
 > > > 
 > > > Also a "*" in the password file does not prevent a user logging in
 > > > when authenticating via Kerberos.
 > > 
 > > Will Kerberos authentication codepath check for ``*LOCKED*'' either?
 > 
 > No, I actually think Kerberos telnetd will allow login just as long as
 > there is a user account and a valid Lerberos account/ticket.
 
 That's a manifestation of the problem I had in mind when opening
 this PR.  Namely, there is a discrepancy between the existence of
 a system-wide policy for locking user accounts on the one hand and
 having to implement the said policy in each piece of software
 involved on the other hand.  If we decide here that the policy does
 exist, it will seem reasonable to implement it where it belongs to,
 i.e. in setusercontext().  The function may check for ``*LOCKED*''
 if invoked with LOGIN_SETLOGIN set and return an error correspondingly.
 With this approach, we could leave alone sshd, telnetd, login, su,
 X display managers, as well as any logon-related sw using the function.
 
 -- 
 Yar