From owner-freebsd-bugs@FreeBSD.ORG Wed Sep 1 03:10:23 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C8E516A4CE for ; Wed, 1 Sep 2004 03:10:23 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1643043D5F for ; Wed, 1 Sep 2004 03:10:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i813AMse062756 for ; Wed, 1 Sep 2004 03:10:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i813AMfg062755; Wed, 1 Sep 2004 03:10:22 GMT (envelope-from gnats) Date: Wed, 1 Sep 2004 03:10:22 GMT Message-Id: <200409010310.i813AMfg062755@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Yar Tikhiy Subject: Re: bin/71147: sshd(8) will allow to log into a locked account X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Yar Tikhiy List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2004 03:10:23 -0000 The following reply was made to PR bin/71147; it has been noted by GNATS. From: Yar Tikhiy To: Dag-Erling Sm?rgrav Cc: Ruslan Ermilov , FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Wed, 1 Sep 2004 07:01:36 +0400 On Mon, Aug 30, 2004 at 06:11:37PM +0200, Dag-Erling Sm?rgrav wrote: > Yar Tikhiy writes: > > There is a lot of ways to check user's identity: public key, Unix > > password, TACACS+, RADIUS etc. However, we are still in the Unix > > reality, where there must exist a 1-to-1 correspondence between > > user's identity and a local account. And the common sense of this > > Unix reality dictates IMHO that when I'm putting `*' into user's > > password field of master.passwd, I do mean locking the user out of > > the system. > > That's a policy decision, not an inherent feature of the underlying > mechanism. Yes, but this policy decision has become the best current practice, and diverging from it isn't significantly better than renaming `ls' to `dir' so that users migrating from MS Windows are happy. > > In other words: An authentication subsystem guarantees that the user > > connecting to my system is actually Joe Random User. However, the > > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User, > > but now I want you to stay off my system until I allow you in." > > pw usermod joe -s /usr/sbin/nologin As it has already been noted in the audit trail, pw(8) implements account locking of its own, which in fact sticks to the asterisk locking practice. The native locking of pw(8) is also better than assigning nologin(8) as the user's shell because the former can be undone, which makes performing lock/unlock cycles really easy. Assigning nologin(8) is more to completely disabling an account than to locking it. However, I feel that the full blown prefix `*LOCKED*' should be left for pw(8) purposes while just a leading asterisk may be considered by sshd(8) as a sure sign of an account being locked. E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO. -- Yar