Date: Thu, 26 Apr 2007 12:46:38 +0100 From: Ceri Davies <ceri@submonkey.net> To: Alexandr Kovalenko <never@nevermind.kiev.ua> Cc: cvs-src@freebsd.org, Yar Tikhiy <yar@freebsd.org>, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c Message-ID: <20070426114638.GC77408@submonkey.net> In-Reply-To: <20070426105458.GA98415@nevermind.kiev.ua> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--PZYVFYZbFYjzBslI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote:
> Hello, Yar Tikhiy!
>=20
> On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote:
>=20
> > yar 2007-04-26 06:39:01 UTC
> >=20
> > FreeBSD src repository
> >=20
> > Modified files: (Branch: RELENG_6)
> > lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c=20
> > Log:
> > MFC:
> > pam_unix.c 1.52
> > pam_unix.8 1.13
> > =20
> > In account management, verify whether the account has been locked
> > with `pw lock', so that it's impossible to log into a locked account
> > using an alternative authentication mechanism, such as an ssh key.
> > This change affects only accounts locked with pw(8), i.e., having a
> > `*LOCKED*' prefix in their password hash field, so people still can
> > use a different pattern to disable password authentication only.
>=20
> Using the very same logic you should also add checking for '*', and for
> any other string, which cannot be in password hash of different
> algorithms. By the way, what if some crypto algorithm, which will be
> used for password hashing can produce hash, which contains substring
> '*LOCKED*' ?
We really need to grow the same mechanism for this as Solaris has.
The way that this works is:
o If the password hash begins *NP* then the user has no password
and password authentication will always fail.
o If the password hash begins *LK* then the account is considered
locked and all authentication fails. Also, cron and at will
not run jobs for that user.
o Anything else, the account is considered enabled (although of
course, password checking can still fail if the hash is not
valid).
I couldn't care less what the strings actually are, but we should
probably use *LOCKED* for the locked case, although I can see that we
may wish to use something else to provide a somewhat backward compatible
route - those who have been using the string *LOCKED* as stated in the
pw manual would get the same behaviour that they do now.
I am willing to work on this, but not without general agreement on the
above.
Ceri
--=20
That must be wonderful! I don't understand it at all.
-- Moliere
--PZYVFYZbFYjzBslI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFGMJEeocfcwTS3JF8RAknjAKCRfcSvn/grYaZ6Qk+Sgi5hDXes3QCgnZj9
Fs8O0FK18ojGwyUaVo9g8f4=
=8mOw
-----END PGP SIGNATURE-----
--PZYVFYZbFYjzBslI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070426114638.GC77408>