From owner-cvs-all@FreeBSD.ORG Thu Apr 26 13:58:58 2007 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2785516A402; Thu, 26 Apr 2007 13:58:58 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C8B6B13C46A; Thu, 26 Apr 2007 13:58:57 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=TyQWWNL+Y4LIgofsBdSQ1df945JHPtP5pgZWaqStjNsOiI4fne+zEBp6nST8clwQZOBphd62G2hBEGcwZaFJS6VU8YCV0TYJ0pUM+nvZ1j9RlLGikw1kR4BxiZgsotzfHXlr2oOdUZSGH2K84EON5nigkYxh7FlomzQR6Zue2+0=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1Hh4Gl-00084P-UE; Thu, 26 Apr 2007 17:44:24 +0400 Date: Thu, 26 Apr 2007 17:44:18 +0400 From: Eygene Ryabinkin To: Alexandr Kovalenko Message-ID: <20070426134418.GO7358@codelabs.ru> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070426105458.GA98415@nevermind.kiev.ua> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: Ceri Davies , cvs-src@freebsd.org, Yar Tikhiy , src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 13:58:58 -0000 Alexander, good day. Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote: > > In account management, verify whether the account has been locked > > with `pw lock', so that it's impossible to log into a locked account > > using an alternative authentication mechanism, such as an ssh key. > > This change affects only accounts locked with pw(8), i.e., having a > > `*LOCKED*' prefix in their password hash field, so people still can > > use a different pattern to disable password authentication only. > > Using the very same logic you should also add checking for '*', and for > any other string, which cannot be in password hash of different > algorithms. No, Yar is talking about the _locked_ accounts only. '*' means that user will not be able to authenticate with password. > By the way, what if some crypto algorithm, which will be > used for password hashing can produce hash, which contains substring > '*LOCKED*' ? We are not talking about the _substring_ -- we are talking about _prefix_. Look into your /etc/master.passwd -- every password starts with the '$$' sequence that identifies the hashing algo. So _no_ valid password field will have anything that starts with '*' as the prefix. > But anyway, I think that it is not expected behavour of sshd/pam_unix. > > >From the pw manual page: > > USER LOCKING > The pw utility supports a simple _password_ locking mechanism for > users; it works by prepending the string `*LOCKED*' to the > beginning of the password field in master.passwd to prevent > successful authentication. > > Please note word _password_. There is nothing about locking _account_ > completely. It is arguably as the 'ps' page talks about passwords only, but can mean the accounts, because it was written with the password-auth in mind. Moreover, the next paragraph is: ----- The lock and unlock commands take a user name or uid of the account to lock or unlock, respectively. The -V, -C, and -q options as described above are accepted by these commands. ----- Note the 'account' word in it. > Please consider reviewing this PR and, hopefully, back out this commit. > At least for a lot of people - it is POLA violation. I think that it should be discuissed. Perhaps the Cerie's proposition should be takes as the basis. My two cents. -- Eygene