From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 30 15:00:50 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C95A716A4CE for ; Mon, 30 Aug 2004 15:00:50 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC33643D5C for ; Mon, 30 Aug 2004 15:00:50 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7UF0oQv065435 for ; Mon, 30 Aug 2004 15:00:50 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7UF0oFd065431; Mon, 30 Aug 2004 15:00:50 GMT (envelope-from gnats) Date: Mon, 30 Aug 2004 15:00:50 GMT Message-Id: <200408301500.i7UF0oFd065431@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Ruslan Ermilov Subject: Re: bin/71147: sshd(8) will allow to log into a locked account X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ruslan Ermilov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 15:00:50 -0000 The following reply was made to PR bin/71147; it has been noted by GNATS. From: Ruslan Ermilov To: Yar Tikhiy Cc: FreeBSD-gnats-submit@freebsd.org, des@freebsd.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Mon, 30 Aug 2004 17:59:48 +0300 On Mon, Aug 30, 2004 at 04:52:54PM +0400, Yar Tikhiy wrote: > > >Description: > In FreeBSD (and other BSDs,) the well-known way to lock out > a user's account is setting the user's encrypted password to > an asterisk character, `*', in master.passwd. Arguably, one > can also lock out a user by just _prefixing_ the password field > value with `*'. Anyway, sshd(8) will ignore either lock > and allow the user to log in if he authenticates himself by > means other than the Unix password, e.g., using his public key. > Yes, if sshd(8) is configured accordingly. > >Fix: > If we forget about PAM for a while, the bug exists because > src/crypto/openssh/configure.ac lacks description of account > locking for FreeBSD. It may be added to the OpenSSH source > tree or to the FreeBSD source tree, but in either case it's > a FreeBSD-specific issue. The fix is as follows: find the > FreeBSD-specific section (search for "freebsd") and add an AC > macro there specifying the lock method. It may be > > AC_DEFINE(LOCKED_PASSWD_STRING, "*") > > or > > AC_DEFINE(LOCKED_PASSWD_PREFIX, "*") > > depending on which "tradition" we decide to stick to. > > Why does PAM allows locked users in? That's another issue... > PAM does not -- it's the pubkey authentification that does. If you disable public key authentification method in sshd_config(5) (which is enabled by default) then only PAM will be used, and no user with locked password will be able to log in. What you're probably looking for is to set the PubkeyAuthentication and RSAAuthentication parameters to "no" in /etc/ssh/sshd_config. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer