bin/71147: sshd(8) will allow to log into a locked account

[Yar Tikhiy]

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Yar Tikhiy <yar at comp.chem.msu.su>
To: Ruslan Ermilov <ru at freebsd.org>
Cc: FreeBSD-gnats-submit at freebsd.org, des at freebsd.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Mon, 30 Aug 2004 19:57:51 +0400

 On Mon, Aug 30, 2004 at 05:59:48PM +0300, Ruslan Ermilov wrote:
 > On Mon, Aug 30, 2004 at 04:52:54PM +0400, Yar Tikhiy wrote:
 > > 
 > > >Description:
 > > 	In FreeBSD (and other BSDs,) the well-known way to lock out
 > > 	a user's account is setting the user's encrypted password to
 > > 	an asterisk character, `*', in master.passwd.  Arguably, one
 > > 	can also lock out a user by just _prefixing_ the password field
 > > 	value with `*'.  Anyway, sshd(8) will ignore either lock
 > > 	and allow the user to log in if he authenticates himself by
 > > 	means other than the Unix password, e.g., using his public key.
 > > 
 > Yes, if sshd(8) is configured accordingly.
 > 
 > > >Fix:
 > > 	If we forget about PAM for a while, the bug exists because
 > > 	src/crypto/openssh/configure.ac lacks description of account
 > > 	locking for FreeBSD.  It may be added to the OpenSSH source
 > > 	tree or to the FreeBSD source tree, but in either case it's
 > > 	a FreeBSD-specific issue.  The fix is as follows: find the
 > > 	FreeBSD-specific section (search for "freebsd") and add an AC
 > > 	macro there specifying the lock method.  It may be
 > > 
 > > 	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
 > > 
 > > 	or
 > > 
 > > 	AC_DEFINE(LOCKED_PASSWD_PREFIX, "*")
 > > 
 > > 	depending on which "tradition" we decide to stick to.
 > > 
 > > 	Why does PAM allows locked users in?  That's another issue...
 > > 
 > PAM does not -- it's the pubkey authentification that does.  If you
 > disable public key authentification method in sshd_config(5) (which
 > is enabled by default) then only PAM will be used, and no user with
 > locked password will be able to log in.
 > 
 > What you're probably looking for is to set the PubkeyAuthentication
 > and RSAAuthentication parameters to "no" in /etc/ssh/sshd_config.
 
 Excuse me, I seem to have confused PAM with the login capabilities
 subsystem.  Of course, PAM is just another way of authenticating a
 user.
 
 There is a lot of ways to check user's identity: public key, Unix
 password, TACACS+, RADIUS etc.  However, we are still in the Unix
 reality, where there must exist a 1-to-1 correspondence between
 user's identity and a local account.  And the common sense of this
 Unix reality dictates IMHO that when I'm putting `*' into user's
 password field of master.passwd, I do mean locking the user out of
 the system.  Note that the passwd database originally served both
 purposes, authentication and defining accounts.  Now there are other
 ways of authentication, but account info is still kept in the passwd
 database.
 
 In other words: An authentication subsystem guarantees that the user
 connecting to my system is actually Joe Random User.  However, the
 asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User,
 but now I want you to stay off my system until I allow you in."
 
 That's my point here.
 
 -- 
 Yar