cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8
yar at comp.chem.msu.su
Sat Apr 28 14:02:53 UTC 2007
On Sat, Apr 28, 2007 at 04:17:49PM +0300, Alexandr Kovalenko wrote:
> Hello, Yar Tikhiy!
> On Fri, Apr 27, 2007 at 08:26:14PM +0400, you wrote:
> > On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote:
> > > Hello, Yar Tikhiy!
> > >
> > > On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote:
> > >
> > > > yar 2007-04-26 06:39:01 UTC
> > > >
> > > > FreeBSD src repository
> > > >
> > > > Modified files: (Branch: RELENG_6)
> > > > lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c
> > > > Log:
> > > > MFC:
> > > > pam_unix.c 1.52
> > > > pam_unix.8 1.13
> > > >
> > > > In account management, verify whether the account has been locked
> > > > with `pw lock', so that it's impossible to log into a locked account
> > > > using an alternative authentication mechanism, such as an ssh key.
> > > > This change affects only accounts locked with pw(8), i.e., having a
> > > > `*LOCKED*' prefix in their password hash field, so people still can
> > > > use a different pattern to disable password authentication only.
> > >
> > > Using the very same logic you should also add checking for '*', and for
> > > any other string, which cannot be in password hash of different
> > > algorithms. By the way, what if some crypto algorithm, which will be
> > > used for password hashing can produce hash, which contains substring
> > > '*LOCKED*' ?
> > Please don't over-generalize. My change adds a check for a *LOCKED*
> > prefix only, which cannot appear in a password hash unless its current
> > format is broken. Neither an old DES hash nor a new multi-algorithm
> > hash can start with *LOCKED*.
> /sbin/nologin was used to disable logging in. There is also UsePAM
That would lose the user's original shell. OTOH, prepending *LOCKED*
to the password hash is totally reversible.
> option of sshd_config, why then UsePAM yes and UsePAM no should behave
> in a different way?
The funny fact is that now sshd(8) behaves consistently, and it's
partly due to my change. Earlier OpenSSH started to check for
*LOCKED* by itself if configured for FreeBSD, and it happened without
my help or prodding although I'd been for the change. The check
is reached only if UsePAM is set to `no', OpenSSH relies on PAM to
do all the local auth stuff otherwise.
> > > But anyway, I think that it is not expected behavour of sshd/pam_unix.
> > >
> > > >From the pw manual page:
> > >
> > > USER LOCKING
> > > The pw utility supports a simple _password_ locking mechanism for
> > > users; it works by prepending the string `*LOCKED*' to the
> > > beginning of the password field in master.passwd to prevent
> > > successful authentication.
> > >
> > > Please note word _password_. There is nothing about locking _account_
> > > completely.
> > I believe account locking was implied in the days pw(8) was written.
> > > Please consider reviewing this PR and, hopefully, back out this commit.
> > > At least for a lot of people - it is POLA violation.
> > Just run adduser(8) and see how it implements account locking and
> > password auth disabling. That's the system policy my change is in
> > keeping with.
> That's the better argument, than pw(8). Agreee with you.
> But, then you should document it well, check every place where *LOCKED*
> is used in source code and, I suppose this change worth some HEADS UP or
> something like that. Beacuse this change is really may confuse ppl, who
> were relying on the "wrong" behavour for years.
Sure, as soon as we reach total consensus on this issue.
> P.S. Fast and dirty search in sources showed only this:
> crypto/openssh/ChangeLog: "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
> crypto/openssh/config.h:#define LOCKED_PASSWD_PREFIX "*LOCKED*"
> crypto/openssh/configure.ac: AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)])
> crypto/openssh/sshd.8:.Ql \&*LOCKED\&*
> usr.sbin/adduser/adduser.8:.Dq Li *LOCKED*
> usr.sbin/pw/pw.8:.Ql *LOCKED*
> usr.sbin/pw/pw_user.c:static char locked_str = "*LOCKED*";
> usr.sbin/pw/pw_user.c: * a "*LOCKED*" prefix from in front of the password to
> NEVE-RIPE, will build world for food
> Ukrainian FreeBSD User Group
More information about the cvs-all