From owner-cvs-src@FreeBSD.ORG Tue Sep 20 09:16:32 2005 Return-Path: X-Original-To: cvs-src@freebsd.org Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B9D216A41F; Tue, 20 Sep 2005 09:16:32 +0000 (GMT) (envelope-from setantae@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-3-1-cust208.cdif.cable.ntl.com [82.31.78.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9856A43D4C; Tue, 20 Sep 2005 09:16:31 +0000 (GMT) (envelope-from setantae@submonkey.net) Received: from setantae by shrike.submonkey.net with local (Exim 4.52 (FreeBSD)) id 1EHeEm-000FOz-Ci; Tue, 20 Sep 2005 10:16:28 +0100 Date: Tue, 20 Sep 2005 10:16:28 +0100 From: Ceri Davies To: Giorgos Keramidas Message-ID: <20050920091628.GL4124@submonkey.net> Mail-Followup-To: Ceri Davies , Giorgos Keramidas , Gavin Atkinson , src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org References: <200509181540.j8IFe2LR042274@repoman.freebsd.org> <20050918200104.F89636@ury.york.ac.uk> <20050918203109.GA1419@flame.pc> <20050918222401.GQ441@submonkey.net> <20050919122020.GA1759@flame.pc> <20050919165219.GB4124@submonkey.net> <20050919174017.GA38329@flame.pc> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="i0/AhcQY5QxfSsSZ" Content-Disposition: inline In-Reply-To: <20050919174017.GA38329@flame.pc> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.11 Sender: Ceri Davies Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org, Gavin Atkinson Subject: Re: cvs commit: src/share/man/man5 passwd.5 X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 09:16:32 -0000 --i0/AhcQY5QxfSsSZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 19, 2005 at 08:40:17PM +0300, Giorgos Keramidas wrote: > On 2005-09-19 17:52, Ceri Davies wrote: > > > > What I'm getting at is that some operating systems allow a special *FOO > > string in their (equivalent of) master.passwd file in order to indicate > > that sshd should not allow users with that string in their entry to log > > in. > > > > For example, Solaris uses the string *NP* to indicate that a user has no > > password - password authentication is therefore disabled for that user, > > disallowing su, password-based ssh access, etc. Cron jobs, key-based > > auth, etc. continue to work. It also supports *LK* which indicates that > > an account is locked: in this case, cron jobs for the user will not be > > run and ssh access is denied altogether. > > > > The ssh bit works because OpenSSH knows that it should be looking for > > the string *LK* and denying access if it is there. Search for > > LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c. > > > > What I'm wondering is why OpenSSH doesn't know about *LOCKED*; previous > > discussions that I've had indicate that this is because we (the FreeBSD > > project) haven't decided that *LOCKED* is canonical enough yet. >=20 > Right. This is exactly why I didn't even attempt to document anything > to that effect. I'm not sure what to write about, so I don't write > something that is wrong :) Fair enough :) So does anyone think that feeding this back to the OpenSSH project makes sense? Ceri --=20 Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Einstein (attrib.) --i0/AhcQY5QxfSsSZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDL9NsocfcwTS3JF8RAtF/AKCwwnmH/Xg3eGZh3iMbHIpj/TZ8kgCfbHvs zzqz4KOJm6yiy/sBQzCxEkA= =Q9G/ -----END PGP SIGNATURE----- --i0/AhcQY5QxfSsSZ--