Date: Thu, 2 Sep 2004 12:50:25 GMT From: Yar Tikhiy <yar@comp.chem.msu.su> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200409021250.i82CoPOq030871@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: Yar Tikhiy <yar@comp.chem.msu.su> To: "Simon L. Nielsen" <simon@FreeBSD.org> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Thu, 2 Sep 2004 16:47:27 +0400 On Wed, Sep 01, 2004 at 05:06:21PM +0200, Simon L. Nielsen wrote: > On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote: > > The following reply was made to PR bin/71147; it has been noted by GNATS. > > > > However, I feel that the full blown prefix `*LOCKED*' should be > > left for pw(8) purposes while just a leading asterisk may be > > considered by sshd(8) as a sure sign of an account being locked. > > E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO. > > If you prevent accounts with a "*" from logging in with a ssh key you > will break POLA. I know that I have several systems where the > password in master.passwd is set to "*" and I then log in via ssh > keys. > > Also a "*" in the password file does not prevent a user logging in > when authenticating via Kerberos. Will Kerberos authentication codepath check for ``*LOCKED*'' either? -- Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409021250.i82CoPOq030871>