From owner-freebsd-bugs@FreeBSD.ORG  Wed Sep  1 10:40:25 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AC47516A4CF
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  1 Sep 2004 10:40:25 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9E75043D68
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  1 Sep 2004 10:40:25 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i81AeN7L032213
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 1 Sep 2004 10:40:23 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i81AeNq2032212;
	Wed, 1 Sep 2004 10:40:23 GMT
	(envelope-from gnats)
Date: Wed, 1 Sep 2004 10:40:23 GMT
Message-Id: <200409011040.i81AeNq2032212@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Ceri Davies <ceri@submonkey.net>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Ceri Davies <ceri@submonkey.net>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2004 10:40:25 -0000

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Ceri Davies <ceri@submonkey.net>
To: Yar Tikhiy <yar@comp.chem.msu.su>
Cc: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 11:32:06 +0100

 On Wed, Sep 01, 2004 at 03:10:22AM +0000, Yar Tikhiy wrote:
 
 >  However, I feel that the full blown prefix `*LOCKED*' should be
 >  left for pw(8) purposes while just a leading asterisk may be
 >  considered by sshd(8) as a sure sign of an account being locked.
 >  E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
 
 I don't agree, Yar.  I think that "pw lock" should be the canonical way
 to lock an account, that *LOCKED* should therefore be the string that ssh
 checks for on FreeBSD (pw has been doing this for nearly five years, so
 I believe that this is the defacto standard now), and that any other string
 should be interpreted as "fail password authentication" only.
 
 Whatever we choose, the string should be passed back to the OpenSSH team
 so that they can check for it.
 
 And this should all be documented as such, obviously ;-)
 
 Ceri
 -- 
 It is not tinfoil, it is my new skin.  I am a robot.