From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 30 13:00:42 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA9A416A4CE for ; Mon, 30 Aug 2004 13:00:42 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AC7A43D45 for ; Mon, 30 Aug 2004 13:00:41 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7UD0fEF050440 for ; Mon, 30 Aug 2004 13:00:41 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7UD0fQw050434; Mon, 30 Aug 2004 13:00:41 GMT (envelope-from gnats) Resent-Date: Mon, 30 Aug 2004 13:00:41 GMT Resent-Message-Id: <200408301300.i7UD0fQw050434@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Yar Tikhiy Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90D3D16A4CE; Mon, 30 Aug 2004 12:53:53 +0000 (GMT) Received: from stylish.chem.msu.su (stylish.chem.msu.su [158.250.32.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id B274543D39; Mon, 30 Aug 2004 12:53:49 +0000 (GMT) (envelope-from yar@stylish.chem.msu.su) Received: from stylish.chem.msu.su (localhost [127.0.0.1]) by stylish.chem.msu.su (8.13.1/8.13.1) with ESMTP id i7UCqtop001808; Mon, 30 Aug 2004 16:52:55 +0400 (MSD) (envelope-from yar@stylish.chem.msu.su) Received: (from yar@localhost) by stylish.chem.msu.su (8.13.1/8.13.1/Submit) id i7UCqs6v001807; Mon, 30 Aug 2004 16:52:54 +0400 (MSD) (envelope-from yar) Message-Id: <200408301252.i7UCqs6v001807@stylish.chem.msu.su> Date: Mon, 30 Aug 2004 16:52:54 +0400 (MSD) From: Yar Tikhiy To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: des@FreeBSD.org Subject: bin/71147: sshd(8) will allow to log into a locked account X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 13:00:43 -0000 >Number: 71147 >Category: bin >Synopsis: sshd(8) will allow to log into a locked account >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 30 13:00:41 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Yar Tikhiy >Release: FreeBSD 6.0-CURRENT i386 >Organization: Moscow State University >Environment: System: FreeBSD stylish.chem.msu.su 6.0-CURRENT FreeBSD 6.0-CURRENT #1: Fri Aug 27 19:34:38 MSD 2004 root@stylish.chem.msu.su:/usr/obj/usr/src/sys/STYLISH i386 >Description: In FreeBSD (and other BSDs,) the well-known way to lock out a user's account is setting the user's encrypted password to an asterisk character, `*', in master.passwd. Arguably, one can also lock out a user by just _prefixing_ the password field value with `*'. Anyway, sshd(8) will ignore either lock and allow the user to log in if he authenticates himself by means other than the Unix password, e.g., using his public key. >How-To-Repeat: 1) set up pub-key authentication for a user; 2) lock out the user's account by setting the password field of the user's record in master.passwd to just an asterisk. 3) try to log into the account via SSH using the user's pub-key; 4) see successful login. >Fix: If we forget about PAM for a while, the bug exists because src/crypto/openssh/configure.ac lacks description of account locking for FreeBSD. It may be added to the OpenSSH source tree or to the FreeBSD source tree, but in either case it's a FreeBSD-specific issue. The fix is as follows: find the FreeBSD-specific section (search for "freebsd") and add an AC macro there specifying the lock method. It may be AC_DEFINE(LOCKED_PASSWD_STRING, "*") or AC_DEFINE(LOCKED_PASSWD_PREFIX, "*") depending on which "tradition" we decide to stick to. Why does PAM allows locked users in? That's another issue... >Release-Note: >Audit-Trail: >Unformatted: