From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 30 16:40:31 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6397916A4CE for ; Mon, 30 Aug 2004 16:40:31 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5264843D5E for ; Mon, 30 Aug 2004 16:40:31 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7UGeR9L079715 for ; Mon, 30 Aug 2004 16:40:27 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7UGeRKD079714; Mon, 30 Aug 2004 16:40:27 GMT (envelope-from gnats) Date: Mon, 30 Aug 2004 16:40:27 GMT Message-Id: <200408301640.i7UGeRKD079714@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Ceri Davies Subject: Re: bin/71147: sshd(8) will allow to log into a locked account X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ceri Davies List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 16:40:31 -0000 The following reply was made to PR bin/71147; it has been noted by GNATS. From: Ceri Davies To: Dag-Erling Sm?rgrav Cc: FreeBSD Gnats Submit Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Mon, 30 Aug 2004 17:39:08 +0100 On Mon, Aug 30, 2004 at 04:20:21PM +0000, Dag-Erling Sm?rgrav wrote: > The following reply was made to PR bin/71147; it has been noted by GNATS. > > From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) > To: Yar Tikhiy > Cc: Ruslan Ermilov , FreeBSD-gnats-submit@freebsd.org > Subject: Re: bin/71147: sshd(8) will allow to log into a locked account > Date: Mon, 30 Aug 2004 18:11:37 +0200 > > Yar Tikhiy writes: > > There is a lot of ways to check user's identity: public key, Unix > > password, TACACS+, RADIUS etc. However, we are still in the Unix > > reality, where there must exist a 1-to-1 correspondence between > > user's identity and a local account. And the common sense of this > > Unix reality dictates IMHO that when I'm putting `*' into user's > > password field of master.passwd, I do mean locking the user out of > > the system. > > That's a policy decision, not an inherent feature of the underlying > mechanism. > > > In other words: An authentication subsystem guarantees that the user > > connecting to my system is actually Joe Random User. However, the > > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User, > > but now I want you to stay off my system until I allow you in." > > pw usermod joe -s /usr/sbin/nologin This is arguably what "pw lock joe" should do then. It certainly sounds like prepending "*LOCKED*" is either incorrect, or that sshd should be checking for *LOCKED*. Ceri -- It is not tinfoil, it is my new skin. I am a robot.