From owner-freebsd-bugs@FreeBSD.ORG Tue Aug 31 12:10:45 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B73E216A4CE for ; Tue, 31 Aug 2004 12:10:45 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9356043D2F for ; Tue, 31 Aug 2004 12:10:45 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7VCAjvJ048761 for ; Tue, 31 Aug 2004 12:10:45 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7VCAjOS048759; Tue, 31 Aug 2004 12:10:45 GMT (envelope-from gnats) Date: Tue, 31 Aug 2004 12:10:45 GMT Message-Id: <200408311210.i7VCAjOS048759@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Ruslan Ermilov Subject: Re: bin/71147: sshd(8) will allow to log into a locked account X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ruslan Ermilov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 12:10:45 -0000 The following reply was made to PR bin/71147; it has been noted by GNATS. From: Ruslan Ermilov To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Tue, 31 Aug 2004 15:07:57 +0300 Yar asked me to follow up here... As it turns out, this feature is available only in recent OpenSSH versions (I haven't investigated which version it first appeared in). I originally looked at the 4.x version of the sshd(8) manpage, and it didn't mention any such feature. In HEAD, OpenSSH provides this useful feature; here's a relevant excerpt from the sshd(8) manpage in HEAD: : Regardless of the authentication type, the account is : checked to ensure that it is accessible. An account is : not accessible if it is locked, listed in DenyUsers or : its group is listed in DenyGroups . The definition of : a locked account is system dependant. Some platforms have : their own account database (eg AIX) and some modify the : passwd field ( `*LK*' on Solaris, `*' on HP-UX, containing : `Nologin' on Tru64 and a leading `!!' on Linux). If there : is a requirement to disable password authentication for : the account while allowing still public-key, then the : passwd field should be set to something other than these : values (eg `NP' or `*NP*' ). For FreeBSD, I think the locking type should match the one used by pw(8): : USER LOCKING : The pw utility supports a simple password locking mechanism : for users; it works by prepending the string `*LOCKED*' : to the beginning of the password field in master.passwd : to prevent successful authentication. The lock and unlock : commands take a user name or uid of the account to lock : or unlock, respectively. The -V, -C, and -q options as : described above are accepted by these commands. That would be (in the patch form): %%% Index: configure.ac =================================================================== RCS file: /home/ncvs/src/crypto/openssh/configure.ac,v retrieving revision 1.9 diff -u -r1.9 configure.ac --- configure.ac 20 Apr 2004 09:46:39 -0000 1.9 +++ configure.ac 31 Aug 2004 12:05:17 -0000 @@ -264,6 +264,7 @@ ;; *-*-freebsd*) check_for_libcrypt_later=1 + AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*") ;; *-*-bsdi*) AC_DEFINE(SETEUID_BREAKS_SETUID) %%% Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer