Date: Mon, 30 Aug 2004 16:20:21 GMT From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200408301620.i7UGKLi7077355@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: Ruslan Ermilov <ru@freebsd.org>, FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Mon, 30 Aug 2004 18:11:37 +0200 Yar Tikhiy <yar@comp.chem.msu.su> writes: > There is a lot of ways to check user's identity: public key, Unix > password, TACACS+, RADIUS etc. However, we are still in the Unix > reality, where there must exist a 1-to-1 correspondence between > user's identity and a local account. And the common sense of this > Unix reality dictates IMHO that when I'm putting `*' into user's > password field of master.passwd, I do mean locking the user out of > the system. That's a policy decision, not an inherent feature of the underlying mechanism. > In other words: An authentication subsystem guarantees that the user > connecting to my system is actually Joe Random User. However, the > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User, > but now I want you to stay off my system until I allow you in." pw usermod joe -s /usr/sbin/nologin DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408301620.i7UGKLi7077355>