Date: Wed, 1 Sep 2004 15:10:29 GMT From: "Simon L. Nielsen" <simon@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Message-ID: <200409011510.i81FATTk063839@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/71147; it has been noted by GNATS. From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/71147: sshd(8) will allow to log into a locked account Date: Wed, 1 Sep 2004 17:06:21 +0200 --IiVenqGWf+H9Y6IX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote: > The following reply was made to PR bin/71147; it has been noted by GNATS. >=20 > However, I feel that the full blown prefix `*LOCKED*' should be > left for pw(8) purposes while just a leading asterisk may be > considered by sshd(8) as a sure sign of an account being locked. > E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO. If you prevent accounts with a "*" from logging in with a ssh key you will break POLA. I know that I have several systems where the password in master.passwd is set to "*" and I then log in via ssh keys. Also a "*" in the password file does not prevent a user logging in when authenticating via Kerberos. --=20 Simon L. Nielsen FreeBSD Documentation Team --IiVenqGWf+H9Y6IX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBNeVth9pcDSc1mlERAry9AJ9e/YuimUR2/MdQZTl32tw5f8i1UgCgrAOi UvI51SjxveTY26yrQ3bEwYg= =dJ0F -----END PGP SIGNATURE----- --IiVenqGWf+H9Y6IX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409011510.i81FATTk063839>