cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8
yar at comp.chem.msu.su
Fri Apr 27 16:26:19 UTC 2007
On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote:
> Hello, Yar Tikhiy!
> On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote:
> > yar 2007-04-26 06:39:01 UTC
> > FreeBSD src repository
> > Modified files: (Branch: RELENG_6)
> > lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c
> > Log:
> > MFC:
> > pam_unix.c 1.52
> > pam_unix.8 1.13
> > In account management, verify whether the account has been locked
> > with `pw lock', so that it's impossible to log into a locked account
> > using an alternative authentication mechanism, such as an ssh key.
> > This change affects only accounts locked with pw(8), i.e., having a
> > `*LOCKED*' prefix in their password hash field, so people still can
> > use a different pattern to disable password authentication only.
> Using the very same logic you should also add checking for '*', and for
> any other string, which cannot be in password hash of different
> algorithms. By the way, what if some crypto algorithm, which will be
> used for password hashing can produce hash, which contains substring
> '*LOCKED*' ?
Please don't over-generalize. My change adds a check for a *LOCKED*
prefix only, which cannot appear in a password hash unless its current
format is broken. Neither an old DES hash nor a new multi-algorithm
hash can start with *LOCKED*.
> But anyway, I think that it is not expected behavour of sshd/pam_unix.
> >From the pw manual page:
> USER LOCKING
> The pw utility supports a simple _password_ locking mechanism for
> users; it works by prepending the string `*LOCKED*' to the
> beginning of the password field in master.passwd to prevent
> successful authentication.
> Please note word _password_. There is nothing about locking _account_
I believe account locking was implied in the days pw(8) was written.
> Please consider reviewing this PR and, hopefully, back out this commit.
> At least for a lot of people - it is POLA violation.
Just run adduser(8) and see how it implements account locking and
password auth disabling. That's the system policy my change is in
> > Mention all account management criteria in the manpage.
> > PR: bin/71147 http://www.FreeBSD.org/cgi/query-pr.cgi?pr=71147
> > Revision Changes Path
> > 18.104.22.168 +16 -3 src/lib/libpam/modules/pam_unix/pam_unix.8
> > 22.214.171.124 +6 -0 src/lib/libpam/modules/pam_unix/pam_unix.c
> NEVE-RIPE, will build world for food
> Ukrainian FreeBSD User Group
More information about the cvs-src