Date: Mon, 27 Jan 2003 12:40:03 -0800 (PST) From: "Matthew D. Fuller" <fullermd@over-yonder.net> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/47541: pw lock still allows access Message-ID: <200301272040.h0RKe3eO005455@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/47541; it has been noted by GNATS. From: "Matthew D. Fuller" <fullermd@over-yonder.net> To: Mike Makonnen <mtm@identd.net> Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, freebsd-gnats-submit@freebsd.org Subject: Re: bin/47541: pw lock still allows access Date: Mon, 27 Jan 2003 14:31:08 -0600 On Mon, Jan 27, 2003 at 06:35:47AM -0500 I heard the voice of Mike Makonnen, and lo! it spake thus: > On Mon, 27 Jan 2003 06:06:12 -0500 (EST) > "Dan Mahoney, System Admin" <danm@prime.gushi.org> wrote: > > > And any potential freeBSD user who needs the manpage may not know that. > > At the very least this should be listed in the BUGS section of the > > manpage. > > > > This is not a bug. > > Again, the keyword is "authentication". The purpose of modifying/locking the > password field is so that the user can not use the passwd > database to authenticate him/herself. This is very different from disallowing a > user from loging into a system. To take your specific example, there are 2 ways > by which a client loging into the system can ascertain that he is who he claims > to be: the passwd database, and ssh authentication keys. By locking the passwd > entry for that user you are in effect saying the client can no longer use the > passwd database to login to this system. The only way he can be allowed into the > system is if he provides a valid ssh key. Oh, come on now... It's not a bug, it's a heads-up. Heads-ups are not something outlawed in the Grand Creed Of Unix Systems. Here's a patch. Index: pw.8 =================================================================== RCS file: /usr/cvs/src/usr.sbin/pw/pw.8,v retrieving revision 1.32 diff -u -r1.32 pw.8 --- pw.8 12 Dec 2002 17:26:03 -0000 1.32 +++ pw.8 27 Jan 2003 20:28:58 -0000 @@ -801,7 +801,15 @@ .Ql *LOCKED* to the beginning of the password field in .Pa master.passwd -to prevent successful authentication. +to prevent successful password authentication. +Note that this does not have impact on authentication by other means, +such as +.Pa .rhosts +or +.Xr hosts.equiv 5 , +or any of the alternate forms of authentication that +.Xr ssh 1 +may use. .Pp The .Ar lock -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301272040.h0RKe3eO005455>