Date: Tue, 20 Sep 2005 10:16:28 +0100 From: Ceri Davies <ceri@submonkey.net> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/share/man/man5 passwd.5 Message-ID: <20050920091628.GL4124@submonkey.net> In-Reply-To: <20050919174017.GA38329@flame.pc> References: <200509181540.j8IFe2LR042274@repoman.freebsd.org> <20050918200104.F89636@ury.york.ac.uk> <20050918203109.GA1419@flame.pc> <20050918222401.GQ441@submonkey.net> <20050919122020.GA1759@flame.pc> <20050919165219.GB4124@submonkey.net> <20050919174017.GA38329@flame.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
--i0/AhcQY5QxfSsSZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 19, 2005 at 08:40:17PM +0300, Giorgos Keramidas wrote: > On 2005-09-19 17:52, Ceri Davies <ceri@submonkey.net> wrote: > > > > What I'm getting at is that some operating systems allow a special *FOO > > string in their (equivalent of) master.passwd file in order to indicate > > that sshd should not allow users with that string in their entry to log > > in. > > > > For example, Solaris uses the string *NP* to indicate that a user has no > > password - password authentication is therefore disabled for that user, > > disallowing su, password-based ssh access, etc. Cron jobs, key-based > > auth, etc. continue to work. It also supports *LK* which indicates that > > an account is locked: in this case, cron jobs for the user will not be > > run and ssh access is denied altogether. > > > > The ssh bit works because OpenSSH knows that it should be looking for > > the string *LK* and denying access if it is there. Search for > > LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c. > > > > What I'm wondering is why OpenSSH doesn't know about *LOCKED*; previous > > discussions that I've had indicate that this is because we (the FreeBSD > > project) haven't decided that *LOCKED* is canonical enough yet. >=20 > Right. This is exactly why I didn't even attempt to document anything > to that effect. I'm not sure what to write about, so I don't write > something that is wrong :) Fair enough :) So does anyone think that feeding this back to the OpenSSH project makes sense? Ceri --=20 Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Einstein (attrib.) --i0/AhcQY5QxfSsSZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDL9NsocfcwTS3JF8RAtF/AKCwwnmH/Xg3eGZh3iMbHIpj/TZ8kgCfbHvs zzqz4KOJm6yiy/sBQzCxEkA= =Q9G/ -----END PGP SIGNATURE----- --i0/AhcQY5QxfSsSZ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050920091628.GL4124>