From owner-cvs-all@FreeBSD.ORG Mon Sep 19 16:52:30 2005 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E514016A41F; Mon, 19 Sep 2005 16:52:29 +0000 (GMT) (envelope-from setantae@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-3-1-cust208.cdif.cable.ntl.com [82.31.78.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 462FE43D53; Mon, 19 Sep 2005 16:52:29 +0000 (GMT) (envelope-from setantae@submonkey.net) Received: from setantae by shrike.submonkey.net with local (Exim 4.52 (FreeBSD)) id 1EHOsN-00002r-PT; Mon, 19 Sep 2005 17:52:19 +0100 Date: Mon, 19 Sep 2005 17:52:19 +0100 From: Ceri Davies To: Giorgos Keramidas Message-ID: <20050919165219.GB4124@submonkey.net> Mail-Followup-To: Ceri Davies , Giorgos Keramidas , Gavin Atkinson , src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org References: <200509181540.j8IFe2LR042274@repoman.freebsd.org> <20050918200104.F89636@ury.york.ac.uk> <20050918203109.GA1419@flame.pc> <20050918222401.GQ441@submonkey.net> <20050919122020.GA1759@flame.pc> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline In-Reply-To: <20050919122020.GA1759@flame.pc> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.11 Sender: Ceri Davies Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/share/man/man5 passwd.5 X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 16:52:30 -0000 --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 19, 2005 at 03:20:20PM +0300, Giorgos Keramidas wrote: > On 2005-09-18 23:24, Ceri Davies wrote: > >On Sun, Sep 18, 2005 at 11:31:09PM +0300, Giorgos Keramidas wrote: > >>On 2005-09-18 20:16, Gavin Atkinson wro= te: > >>> On Sun, 18 Sep 2005, Giorgos Keramidas wrote: > >>> > Modified files: > >>> > share/man/man5 passwd.5 > >>> > Log: > >>> > Explain the use of `*' in master.passwd and that it's slightly > >>> > different from the use of `*' in /etc/passwd. > >>> > >>> +.Nm master.passwd > >>> +file, a password of > >>> +.Ql * > >>> +is used to indicate that no one can ever log into that account. > >>> +The field only contains encrypted passwords, and > >>> +.Ql * > >>> +can never be the result of encrypting a password. > >>> > >>> This is not strictly true - all it prevents is logins using passwords. > >>> Passwordless logins using SSH public keys (for example) are unaffecte= d. > > > > Since "pw lock" has been entering the string '*LOCKED*' for years now, > > is there any reason why this has never been fed back to the OpenSSH > > project for inclusion as LOCKED_PASSWD_STRING for FreeBSD? > > > > Then we can document that in passwd.5 too and usage can start to > > converge. >=20 > Hi Ceri, >=20 > The `*' reference above in master.passwd is not really OpenSSH-related. > I think I'm not 100% sure why you were reminded of OpenSSH. Do you mean > that we should document OpenSSH's and pw's ``*LOCKED*'' convention in > there too? What I'm getting at is that some operating systems allow a special *FOO string in their (equivalent of) master.passwd file in order to indicate that sshd should not allow users with that string in their entry to log in. For example, Solaris uses the string *NP* to indicate that a user has no password - password authentication is therefore disabled for that user, disallowing su, password-based ssh access, etc. Cron jobs, key-based auth, etc. continue to work. It also supports *LK* which indicates that an account is locked: in this case, cron jobs for the user will not be run and ssh access is denied altogether. The ssh bit works because OpenSSH knows that it should be looking for the string *LK* and denying access if it is there. Search for LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c. What I'm wondering is why OpenSSH doesn't know about *LOCKED*; previous discussions that I've had indicate that this is because we (the FreeBSD project) haven't decided that *LOCKED* is canonical enough yet. Ceri --=20 Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Einstein (attrib.) --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDLuzDocfcwTS3JF8RAl7EAJ9V5plJH9bd9JQyqRP13RQsgeuaeACghrba OUsBF0JFpZ2sO0xoegrQbz4= =+DVA -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--