From owner-cvs-all@FreeBSD.ORG Mon Apr 30 13:15:12 2007 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4641E16A403; Mon, 30 Apr 2007 13:15:12 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc3-cdif2-0-0-cust64.cdif.cable.ntl.com [81.106.128.65]) by mx1.freebsd.org (Postfix) with ESMTP id D69ED13C46E; Mon, 30 Apr 2007 13:15:11 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1HiVia-000Eg5-6W; Mon, 30 Apr 2007 14:15:04 +0100 Date: Mon, 30 Apr 2007 14:15:04 +0100 From: Ceri Davies To: Yar Tikhiy Message-ID: <20070430131503.GY77408@submonkey.net> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> <20070426114638.GC77408@submonkey.net> <20070427160740.GF3991@comp.chem.msu.su> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="n95ggtiZmkwHBchJ" Content-Disposition: inline In-Reply-To: <20070427160740.GF3991@comp.chem.msu.su> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.15 (2007-04-06) Sender: Ceri Davies Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 13:15:12 -0000 --n95ggtiZmkwHBchJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 27, 2007 at 08:07:40PM +0400, Yar Tikhiy wrote: > On Thu, Apr 26, 2007 at 12:46:38PM +0100, Ceri Davies wrote: > > On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote: > > > Hello, Yar Tikhiy! > > >=20 > > > On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote: > > >=20 > > > > yar 2007-04-26 06:39:01 UTC > > > >=20 > > > > FreeBSD src repository > > > >=20 > > > > Modified files: (Branch: RELENG_6) > > > > lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c=20 > > > > Log: > > > > MFC: > > > > pam_unix.c 1.52 > > > > pam_unix.8 1.13 > > > > =20 > > > > In account management, verify whether the account has been lock= ed > > > > with `pw lock', so that it's impossible to log into a locked ac= count > > > > using an alternative authentication mechanism, such as an ssh k= ey. > > > > This change affects only accounts locked with pw(8), i.e., havi= ng a > > > > `*LOCKED*' prefix in their password hash field, so people still= can > > > > use a different pattern to disable password authentication only. > > >=20 > > > Using the very same logic you should also add checking for '*', and f= or > > > any other string, which cannot be in password hash of different > > > algorithms. By the way, what if some crypto algorithm, which will be > > > used for password hashing can produce hash, which contains substring > > > '*LOCKED*' ? > >=20 > > We really need to grow the same mechanism for this as Solaris has. > > The way that this works is: > >=20 > > o If the password hash begins *NP* then the user has no password > > and password authentication will always fail. > >=20 > > o If the password hash begins *LK* then the account is considered > > locked and all authentication fails. Also, cron and at will > > not run jobs for that user. > >=20 > > o Anything else, the account is considered enabled (although of > > course, password checking can still fail if the hash is not > > valid). > >=20 > > I couldn't care less what the strings actually are, but we should > > probably use *LOCKED* for the locked case, although I can see that we > > may wish to use something else to provide a somewhat backward compatible > > route - those who have been using the string *LOCKED* as stated in the > > pw manual would get the same behaviour that they do now. > >=20 > > I am willing to work on this, but not without general agreement on the > > above. >=20 > I believe that general consensus in PR bin/71147 was that in FreeBSD > a *LOCKED* prefix means the account is totally locked out while a > single asterisk in the password field means password authentication > is disabled. And, it isn't unfounded. That practice has already > been supported by adduser(8) for quite a while. Now OpenSSH, too, > looks for *LOCKED* as the FreeBSD-specific indication of an account > being locked out if PAM isn't used. So I see my change to pam_unix(8) > just as a step in the direction we've already been moving in. To > match Solaris, we just need to document our practice well. Well, we currently have an *NP* case as per above, but not a *LK* case, so I disagree somewhat. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --n95ggtiZmkwHBchJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFGNevXocfcwTS3JF8RAhnDAKCCBTjMb5PDrlLjc3IitPqd8ldWeACfcJl0 XhTijfZgj4bLfo1Uu6o9amA= =Q50P -----END PGP SIGNATURE----- --n95ggtiZmkwHBchJ--