From owner-freebsd-bugs Mon Jan 27 12:40: 6 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3064A37B401 for ; Mon, 27 Jan 2003 12:40:04 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE00043F13 for ; Mon, 27 Jan 2003 12:40:03 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h0RKe3NS005456 for ; Mon, 27 Jan 2003 12:40:03 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h0RKe3eO005455; Mon, 27 Jan 2003 12:40:03 -0800 (PST) Date: Mon, 27 Jan 2003 12:40:03 -0800 (PST) Message-Id: <200301272040.h0RKe3eO005455@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: "Matthew D. Fuller" Subject: Re: bin/47541: pw lock still allows access Reply-To: "Matthew D. Fuller" Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR bin/47541; it has been noted by GNATS. From: "Matthew D. Fuller" To: Mike Makonnen Cc: "Dan Mahoney, System Admin" , freebsd-gnats-submit@freebsd.org Subject: Re: bin/47541: pw lock still allows access Date: Mon, 27 Jan 2003 14:31:08 -0600 On Mon, Jan 27, 2003 at 06:35:47AM -0500 I heard the voice of Mike Makonnen, and lo! it spake thus: > On Mon, 27 Jan 2003 06:06:12 -0500 (EST) > "Dan Mahoney, System Admin" wrote: > > > And any potential freeBSD user who needs the manpage may not know that. > > At the very least this should be listed in the BUGS section of the > > manpage. > > > > This is not a bug. > > Again, the keyword is "authentication". The purpose of modifying/locking the > password field is so that the user can not use the passwd > database to authenticate him/herself. This is very different from disallowing a > user from loging into a system. To take your specific example, there are 2 ways > by which a client loging into the system can ascertain that he is who he claims > to be: the passwd database, and ssh authentication keys. By locking the passwd > entry for that user you are in effect saying the client can no longer use the > passwd database to login to this system. The only way he can be allowed into the > system is if he provides a valid ssh key. Oh, come on now... It's not a bug, it's a heads-up. Heads-ups are not something outlawed in the Grand Creed Of Unix Systems. Here's a patch. Index: pw.8 =================================================================== RCS file: /usr/cvs/src/usr.sbin/pw/pw.8,v retrieving revision 1.32 diff -u -r1.32 pw.8 --- pw.8 12 Dec 2002 17:26:03 -0000 1.32 +++ pw.8 27 Jan 2003 20:28:58 -0000 @@ -801,7 +801,15 @@ .Ql *LOCKED* to the beginning of the password field in .Pa master.passwd -to prevent successful authentication. +to prevent successful password authentication. +Note that this does not have impact on authentication by other means, +such as +.Pa .rhosts +or +.Xr hosts.equiv 5 , +or any of the alternate forms of authentication that +.Xr ssh 1 +may use. .Pp The .Ar lock -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message