From owner-freebsd-bugs@FreeBSD.ORG Sat Sep 4 19:10:28 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78FA816A4CE for ; Sat, 4 Sep 2004 19:10:28 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69FEF43D45 for ; Sat, 4 Sep 2004 19:10:28 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i84JASfl046454 for ; Sat, 4 Sep 2004 19:10:28 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i84JASoQ046453; Sat, 4 Sep 2004 19:10:28 GMT (envelope-from gnats) Date: Sat, 4 Sep 2004 19:10:28 GMT Message-Id: <200409041910.i84JASoQ046453@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: "Simon L. Nielsen" Subject: Re: bin/71147: sshd(8) will allow to log into a locked account X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Simon L. Nielsen" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 19:10:28 -0000 The following reply was made to PR bin/71147; it has been noted by GNATS. From: "Simon L. Nielsen" To: Yar Tikhiy Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Sat, 4 Sep 2004 21:03:02 +0200 --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.09.04 19:52:38 +0400, Yar Tikhiy wrote: > On Sat, Sep 04, 2004 at 05:13:14PM +0200, Simon L. Nielsen wrote: > > On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote: > > >=20 > > > Will Kerberos authentication codepath check for ``*LOCKED*'' either? > >=20 > > No, I actually think Kerberos telnetd will allow login just as long as > > there is a user account and a valid Lerberos account/ticket. >=20 > That's a manifestation of the problem I had in mind when opening > this PR. Namely, there is a discrepancy between the existence of > a system-wide policy for locking user accounts on the one hand and > having to implement the said policy in each piece of software > involved on the other hand. If we decide here that the policy does > exist, it will seem reasonable to implement it where it belongs to, > i.e. in setusercontext(). The function may check for ``*LOCKED*'' > if invoked with LOGIN_SETLOGIN set and return an error correspondingly. > With this approach, we could leave alone sshd, telnetd, login, su, > X display managers, as well as any logon-related sw using the function. While I have no idea if setusercontext() is the right place to check, something like what you propose sounds like a very good idea to me so there is consistent behavior. --=20 Simon L. Nielsen FreeBSD Documentation Team --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBOhFlh9pcDSc1mlERAphpAJ9YRkxK02PiWdnoUlQshzyJJb6BFwCgpzw3 m+3e4D1JbXjACAAtjOa3u3A= =Eu36 -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G--