Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Sep 2004 15:10:29 GMT
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: bin/71147: sshd(8) will allow to log into a locked account
Message-ID:  <200409011510.i81FATTk063839@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS.

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Yar Tikhiy <yar@comp.chem.msu.su>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 17:06:21 +0200

 --IiVenqGWf+H9Y6IX
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote:
 > The following reply was made to PR bin/71147; it has been noted by GNATS.
 >=20
 >  However, I feel that the full blown prefix `*LOCKED*' should be
 >  left for pw(8) purposes while just a leading asterisk may be
 >  considered by sshd(8) as a sure sign of an account being locked.
 >  E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
 
 If you prevent accounts with a "*" from logging in with a ssh key you
 will break POLA.  I know that I have several systems where the
 password in master.passwd is set to "*" and I then log in via ssh
 keys.
 
 Also a "*" in the password file does not prevent a user logging in
 when authenticating via Kerberos.
 
 --=20
 Simon L. Nielsen
 FreeBSD Documentation Team
 
 --IiVenqGWf+H9Y6IX
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.5 (FreeBSD)
 
 iD8DBQFBNeVth9pcDSc1mlERAry9AJ9e/YuimUR2/MdQZTl32tw5f8i1UgCgrAOi
 UvI51SjxveTY26yrQ3bEwYg=
 =dJ0F
 -----END PGP SIGNATURE-----
 
 --IiVenqGWf+H9Y6IX--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409011510.i81FATTk063839>