Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Sep 2005 17:52:19 +0100
From:      Ceri Davies <ceri@submonkey.net>
To:        Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc:        cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org, Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
Subject:   Re: cvs commit: src/share/man/man5 passwd.5
Message-ID:  <20050919165219.GB4124@submonkey.net>
In-Reply-To: <20050919122020.GA1759@flame.pc>
References:  <200509181540.j8IFe2LR042274@repoman.freebsd.org> <20050918200104.F89636@ury.york.ac.uk> <20050918203109.GA1419@flame.pc> <20050918222401.GQ441@submonkey.net> <20050919122020.GA1759@flame.pc>

next in thread | previous in thread | raw e-mail | index | archive | help

--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 19, 2005 at 03:20:20PM +0300, Giorgos Keramidas wrote:
> On 2005-09-18 23:24, Ceri Davies <ceri@submonkey.net> wrote:
> >On Sun, Sep 18, 2005 at 11:31:09PM +0300, Giorgos Keramidas wrote:
> >>On 2005-09-18 20:16, Gavin Atkinson <gavin.atkinson@ury.york.ac.uk> wro=
te:
> >>> On Sun, 18 Sep 2005, Giorgos Keramidas wrote:
> >>> > Modified files:
> >>> >   share/man/man5       passwd.5
> >>> > Log:
> >>> > Explain the use of `*' in master.passwd and that it's slightly
> >>> > different from the use of `*' in /etc/passwd.
> >>>
> >>> +.Nm master.passwd
> >>> +file, a password of
> >>> +.Ql *
> >>> +is used to indicate that no one can ever log into that account.
> >>> +The field only contains encrypted passwords, and
> >>> +.Ql *
> >>> +can never be the result of encrypting a password.
> >>>
> >>> This is not strictly true - all it prevents is logins using passwords.
> >>> Passwordless logins using SSH public keys (for example) are unaffecte=
d.
> >
> > Since "pw lock" has been entering the string '*LOCKED*' for years now,
> > is there any reason why this has never been fed back to the OpenSSH
> > project for inclusion as LOCKED_PASSWD_STRING for FreeBSD?
> >
> > Then we can document that in passwd.5 too and usage can start to
> > converge.
>=20
> Hi Ceri,
>=20
> The `*' reference above in master.passwd is not really OpenSSH-related.
> I think I'm not 100% sure why you were reminded of OpenSSH.  Do you mean
> that we should document OpenSSH's and pw's ``*LOCKED*'' convention in
> there too?

What I'm getting at is that some operating systems allow a special *FOO
string in their (equivalent of) master.passwd file in order to indicate
that sshd should not allow users with that string in their entry to log
in.

For example, Solaris uses the string *NP* to indicate that a user has no
password - password authentication is therefore disabled for that user,
disallowing su, password-based ssh access, etc.  Cron jobs, key-based
auth, etc. continue to work.  It also supports *LK* which indicates that
an account is locked: in this case, cron jobs for the user will not be
run and ssh access is denied altogether.

The ssh bit works because OpenSSH knows that it should be looking for
the string *LK* and denying access if it is there.  Search for
LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c.

What I'm wondering is why OpenSSH doesn't know about *LOCKED*;  previous
discussions that I've had indicate that this is because we (the FreeBSD
project) haven't decided that *LOCKED* is canonical enough yet.

Ceri
--=20
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)

--NzB8fVQJ5HfG6fxh
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDLuzDocfcwTS3JF8RAl7EAJ9V5plJH9bd9JQyqRP13RQsgeuaeACghrba
OUsBF0JFpZ2sO0xoegrQbz4=
=+DVA
-----END PGP SIGNATURE-----

--NzB8fVQJ5HfG6fxh--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050919165219.GB4124>