cvs commit: src/share/man/man5 passwd.5
Ceri Davies
ceri at submonkey.net
Tue Sep 20 02:16:32 PDT 2005
On Mon, Sep 19, 2005 at 08:40:17PM +0300, Giorgos Keramidas wrote:
> On 2005-09-19 17:52, Ceri Davies <ceri at submonkey.net> wrote:
> >
> > What I'm getting at is that some operating systems allow a special *FOO
> > string in their (equivalent of) master.passwd file in order to indicate
> > that sshd should not allow users with that string in their entry to log
> > in.
> >
> > For example, Solaris uses the string *NP* to indicate that a user has no
> > password - password authentication is therefore disabled for that user,
> > disallowing su, password-based ssh access, etc. Cron jobs, key-based
> > auth, etc. continue to work. It also supports *LK* which indicates that
> > an account is locked: in this case, cron jobs for the user will not be
> > run and ssh access is denied altogether.
> >
> > The ssh bit works because OpenSSH knows that it should be looking for
> > the string *LK* and denying access if it is there. Search for
> > LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c.
> >
> > What I'm wondering is why OpenSSH doesn't know about *LOCKED*; previous
> > discussions that I've had indicate that this is because we (the FreeBSD
> > project) haven't decided that *LOCKED* is canonical enough yet.
>
> Right. This is exactly why I didn't even attempt to document anything
> to that effect. I'm not sure what to write about, so I don't write
> something that is wrong :)
Fair enough :)
So does anyone think that feeding this back to the OpenSSH project makes
sense?
Ceri
--
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former. -- Einstein (attrib.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20050920/b1bd348a/attachment.bin
More information about the cvs-all
mailing list