Date: Mon, 30 Aug 2004 16:52:54 +0400 (MSD) From: Yar Tikhiy <yar@comp.chem.msu.su> To: FreeBSD-gnats-submit@FreeBSD.org Cc: des@FreeBSD.org Subject: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200408301252.i7UCqs6v001807@stylish.chem.msu.su> Resent-Message-ID: <200408301300.i7UD0fQw050434@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 71147 >Category: bin >Synopsis: sshd(8) will allow to log into a locked account >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 30 13:00:41 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Yar Tikhiy >Release: FreeBSD 6.0-CURRENT i386 >Organization: Moscow State University >Environment: System: FreeBSD stylish.chem.msu.su 6.0-CURRENT FreeBSD 6.0-CURRENT #1: Fri Aug 27 19:34:38 MSD 2004 root@stylish.chem.msu.su:/usr/obj/usr/src/sys/STYLISH i386 >Description: In FreeBSD (and other BSDs,) the well-known way to lock out a user's account is setting the user's encrypted password to an asterisk character, `*', in master.passwd. Arguably, one can also lock out a user by just _prefixing_ the password field value with `*'. Anyway, sshd(8) will ignore either lock and allow the user to log in if he authenticates himself by means other than the Unix password, e.g., using his public key. >How-To-Repeat: 1) set up pub-key authentication for a user; 2) lock out the user's account by setting the password field of the user's record in master.passwd to just an asterisk. 3) try to log into the account via SSH using the user's pub-key; 4) see successful login. >Fix: If we forget about PAM for a while, the bug exists because src/crypto/openssh/configure.ac lacks description of account locking for FreeBSD. It may be added to the OpenSSH source tree or to the FreeBSD source tree, but in either case it's a FreeBSD-specific issue. The fix is as follows: find the FreeBSD-specific section (search for "freebsd") and add an AC macro there specifying the lock method. It may be AC_DEFINE(LOCKED_PASSWD_STRING, "*") or AC_DEFINE(LOCKED_PASSWD_PREFIX, "*") depending on which "tradition" we decide to stick to. Why does PAM allows locked users in? That's another issue... >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408301252.i7UCqs6v001807>