Date: Mon, 19 Sep 2005 17:52:19 +0100 From: Ceri Davies <ceri@submonkey.net> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/share/man/man5 passwd.5 Message-ID: <20050919165219.GB4124@submonkey.net> In-Reply-To: <20050919122020.GA1759@flame.pc> References: <200509181540.j8IFe2LR042274@repoman.freebsd.org> <20050918200104.F89636@ury.york.ac.uk> <20050918203109.GA1419@flame.pc> <20050918222401.GQ441@submonkey.net> <20050919122020.GA1759@flame.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
--NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 19, 2005 at 03:20:20PM +0300, Giorgos Keramidas wrote: > On 2005-09-18 23:24, Ceri Davies <ceri@submonkey.net> wrote: > >On Sun, Sep 18, 2005 at 11:31:09PM +0300, Giorgos Keramidas wrote: > >>On 2005-09-18 20:16, Gavin Atkinson <gavin.atkinson@ury.york.ac.uk> wro= te: > >>> On Sun, 18 Sep 2005, Giorgos Keramidas wrote: > >>> > Modified files: > >>> > share/man/man5 passwd.5 > >>> > Log: > >>> > Explain the use of `*' in master.passwd and that it's slightly > >>> > different from the use of `*' in /etc/passwd. > >>> > >>> +.Nm master.passwd > >>> +file, a password of > >>> +.Ql * > >>> +is used to indicate that no one can ever log into that account. > >>> +The field only contains encrypted passwords, and > >>> +.Ql * > >>> +can never be the result of encrypting a password. > >>> > >>> This is not strictly true - all it prevents is logins using passwords. > >>> Passwordless logins using SSH public keys (for example) are unaffecte= d. > > > > Since "pw lock" has been entering the string '*LOCKED*' for years now, > > is there any reason why this has never been fed back to the OpenSSH > > project for inclusion as LOCKED_PASSWD_STRING for FreeBSD? > > > > Then we can document that in passwd.5 too and usage can start to > > converge. >=20 > Hi Ceri, >=20 > The `*' reference above in master.passwd is not really OpenSSH-related. > I think I'm not 100% sure why you were reminded of OpenSSH. Do you mean > that we should document OpenSSH's and pw's ``*LOCKED*'' convention in > there too? What I'm getting at is that some operating systems allow a special *FOO string in their (equivalent of) master.passwd file in order to indicate that sshd should not allow users with that string in their entry to log in. For example, Solaris uses the string *NP* to indicate that a user has no password - password authentication is therefore disabled for that user, disallowing su, password-based ssh access, etc. Cron jobs, key-based auth, etc. continue to work. It also supports *LK* which indicates that an account is locked: in this case, cron jobs for the user will not be run and ssh access is denied altogether. The ssh bit works because OpenSSH knows that it should be looking for the string *LK* and denying access if it is there. Search for LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c. What I'm wondering is why OpenSSH doesn't know about *LOCKED*; previous discussions that I've had indicate that this is because we (the FreeBSD project) haven't decided that *LOCKED* is canonical enough yet. Ceri --=20 Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Einstein (attrib.) --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDLuzDocfcwTS3JF8RAl7EAJ9V5plJH9bd9JQyqRP13RQsgeuaeACghrba OUsBF0JFpZ2sO0xoegrQbz4= =+DVA -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050919165219.GB4124>