From owner-freebsd-bugs@FreeBSD.ORG  Sun Jul  3 07:20:21 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4792116A41C
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  3 Jul 2005 07:20:21 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 30C0343D45
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  3 Jul 2005 07:20:21 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j637KLII091752
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 3 Jul 2005 07:20:21 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j637KLiD091751;
	Sun, 3 Jul 2005 07:20:21 GMT (envelope-from gnats)
Date: Sun, 3 Jul 2005 07:20:21 GMT
Message-Id: <200507030720.j637KLiD091751@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Maxim Konovalov <maxim@macomnet.ru>
Cc: 
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Maxim Konovalov <maxim@macomnet.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jul 2005 07:20:21 -0000

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Maxim Konovalov <maxim@macomnet.ru>
To: Ceri Davies <ceri@submonkey.net>
Cc: bug-followup@freebsd.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Sun, 3 Jul 2005 11:14:13 +0400 (MSD)

 [...]
 > >  >  On Mon, Aug 30, 2004 at 04:52:54PM +0400, Yar Tikhiy wrote:
 > >  >  Y> 	In FreeBSD (and other BSDs,) the well-known way to lock out
 > >  >  Y> 	a user's account is setting the user's encrypted password to
 > >  >  Y> 	an asterisk character, `*', in master.passwd.  Arguably, one
 > >  >  Y> 	can also lock out a user by just _prefixing_ the password field
 > >  >  Y> 	value with `*'.  Anyway, sshd(8) will ignore either lock
 > >  >  Y> 	and allow the user to log in if he authenticates himself by
 > >  >  Y> 	means other than the Unix password, e.g., using his public key.
 > >  >
 > >  >  This is not a bug, it's a feature! Any ssh (not only Open) has the
 > >  >  same behavior on any unix operating system.
 > >
 > >  sshd works as expected (does not allow to login to a system) on
 > >  solaris 8.
 >
 > Solaris has two strings for locked out accounts:
 >
 > 	*LK* which indicates that an account is locked
 > 	*NP* which indicates that an account has no password and that
 > 	     only other authentication mechanisms should succeed
 >
 > Which one works?
 
 Both work as described.
 
 -- 
 Maxim Konovalov