Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 30 Apr 2007 14:15:04 +0100
From:      Ceri Davies <ceri@submonkey.net>
To:        Yar Tikhiy <yar@comp.chem.msu.su>
Cc:        cvs-src@freebsd.org, Alexandr Kovalenko <never@nevermind.kiev.ua>, src-committers@freebsd.org, cvs-all@freebsd.org
Subject:   Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c
Message-ID:  <20070430131503.GY77408@submonkey.net>
In-Reply-To: <20070427160740.GF3991@comp.chem.msu.su>
References:  <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> <20070426114638.GC77408@submonkey.net> <20070427160740.GF3991@comp.chem.msu.su>

next in thread | previous in thread | raw e-mail | index | archive | help

--n95ggtiZmkwHBchJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 27, 2007 at 08:07:40PM +0400, Yar Tikhiy wrote:
> On Thu, Apr 26, 2007 at 12:46:38PM +0100, Ceri Davies wrote:
> > On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote:
> > > Hello, Yar Tikhiy!
> > >=20
> > > On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote:
> > >=20
> > > > yar         2007-04-26 06:39:01 UTC
> > > >=20
> > > >   FreeBSD src repository
> > > >=20
> > > >   Modified files:        (Branch: RELENG_6)
> > > >     lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c=20
> > > >   Log:
> > > >   MFC:
> > > >           pam_unix.c      1.52
> > > >           pam_unix.8      1.13
> > > >  =20
> > > >     In account management, verify whether the account has been lock=
ed
> > > >     with `pw lock', so that it's impossible to log into a locked ac=
count
> > > >     using an alternative authentication mechanism, such as an ssh k=
ey.
> > > >     This change affects only accounts locked with pw(8), i.e., havi=
ng a
> > > >     `*LOCKED*' prefix in their password hash field, so people still=
 can
> > > >     use a different pattern to disable password authentication only.
> > >=20
> > > Using the very same logic you should also add checking for '*', and f=
or
> > > any other string, which cannot be in password hash of different
> > > algorithms. By the way, what if some crypto algorithm, which will be
> > > used for password hashing can produce hash, which contains substring
> > > '*LOCKED*' ?
> >=20
> > We really need to grow the same mechanism for this as Solaris has.
> > The way that this works is:
> >=20
> >   o If the password hash begins *NP* then the user has no password
> >      and password authentication will always fail.
> >=20
> >   o If the password hash begins *LK* then the account is considered
> >      locked and all authentication fails.  Also, cron and at will
> >      not run jobs for that user.
> >=20
> >   o Anything else, the account is considered enabled (although of
> >      course, password checking can still fail if the hash is not
> >      valid).
> >=20
> > I couldn't care less what the strings actually are, but we should
> > probably use *LOCKED* for the locked case, although I can see that we
> > may wish to use something else to provide a somewhat backward compatible
> > route - those who have been using the string *LOCKED* as stated in the
> > pw manual would get the same behaviour that they do now.
> >=20
> > I am willing to work on this, but not without general agreement on the
> > above.
>=20
> I believe that general consensus in PR bin/71147 was that in FreeBSD
> a *LOCKED* prefix means the account is totally locked out while a
> single asterisk in the password field means password authentication
> is disabled.  And, it isn't unfounded.  That practice has already
> been supported by adduser(8) for quite a while.  Now OpenSSH, too,
> looks for *LOCKED* as the FreeBSD-specific indication of an account
> being locked out if PAM isn't used.  So I see my change to pam_unix(8)
> just as a step in the direction we've already been moving in.  To
> match Solaris, we just need to document our practice well.

Well, we currently have an *NP* case as per above, but not a *LK* case,
so I disagree somewhat.

Ceri
--=20
That must be wonderful!  I don't understand it at all.
                                                  -- Moliere

--n95ggtiZmkwHBchJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFGNevXocfcwTS3JF8RAhnDAKCCBTjMb5PDrlLjc3IitPqd8ldWeACfcJl0
XhTijfZgj4bLfo1Uu6o9amA=
=Q50P
-----END PGP SIGNATURE-----

--n95ggtiZmkwHBchJ--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070430131503.GY77408>