Date: Thu, 2 Sep 2004 13:11:57 +0400 From: Gleb Smirnoff <glebius@freebsd.org> To: "Simon L. Nielsen" <simon@freebsd.org> Cc: freebsd-bugs@freebsd.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <20040902091157.GC56380@cell.sick.ru> In-Reply-To: <200409011510.i81FATTk063839@freefall.freebsd.org> References: <200409011510.i81FATTk063839@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 01, 2004 at 03:10:29PM +0000, Simon L. Nielsen wrote:
S> On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote:
S> > The following reply was made to PR bin/71147; it has been noted by GNATS.
S> >=20
S> > However, I feel that the full blown prefix `*LOCKED*' should be
S> > left for pw(8) purposes while just a leading asterisk may be
S> > considered by sshd(8) as a sure sign of an account being locked.
S> > E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
S>
S> If you prevent accounts with a "*" from logging in with a ssh key you
S> will break POLA. I know that I have several systems where the
S> password in master.passwd is set to "*" and I then log in via ssh
S> keys.
S>
S> Also a "*" in the password file does not prevent a user logging in
S> when authenticating via Kerberos.
I 100% percent agree with Simon. Many many people rely on this. Don't
make them lose access to their boxes after SSH upgrade.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040902091157.GC56380>