Date: Thu, 2 Sep 2004 13:11:57 +0400 From: Gleb Smirnoff <glebius@freebsd.org> To: "Simon L. Nielsen" <simon@freebsd.org> Cc: freebsd-bugs@freebsd.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <20040902091157.GC56380@cell.sick.ru> In-Reply-To: <200409011510.i81FATTk063839@freefall.freebsd.org> References: <200409011510.i81FATTk063839@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 01, 2004 at 03:10:29PM +0000, Simon L. Nielsen wrote: S> On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote: S> > The following reply was made to PR bin/71147; it has been noted by GNATS. S> >=20 S> > However, I feel that the full blown prefix `*LOCKED*' should be S> > left for pw(8) purposes while just a leading asterisk may be S> > considered by sshd(8) as a sure sign of an account being locked. S> > E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO. S> S> If you prevent accounts with a "*" from logging in with a ssh key you S> will break POLA. I know that I have several systems where the S> password in master.passwd is set to "*" and I then log in via ssh S> keys. S> S> Also a "*" in the password file does not prevent a user logging in S> when authenticating via Kerberos. I 100% percent agree with Simon. Many many people rely on this. Don't make them lose access to their boxes after SSH upgrade. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040902091157.GC56380>