bin/71147: sshd(8) will allow to log into a locked account
Dag-Erling Smørgrav
des at des.no
Mon Aug 30 09:20:22 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: des at des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
To: Yar Tikhiy <yar at comp.chem.msu.su>
Cc: Ruslan Ermilov <ru at freebsd.org>, FreeBSD-gnats-submit at freebsd.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Mon, 30 Aug 2004 18:11:37 +0200
Yar Tikhiy <yar at comp.chem.msu.su> writes:
> There is a lot of ways to check user's identity: public key, Unix
> password, TACACS+, RADIUS etc. However, we are still in the Unix
> reality, where there must exist a 1-to-1 correspondence between
> user's identity and a local account. And the common sense of this
> Unix reality dictates IMHO that when I'm putting `*' into user's
> password field of master.passwd, I do mean locking the user out of
> the system.
That's a policy decision, not an inherent feature of the underlying
mechanism.
> In other words: An authentication subsystem guarantees that the user
> connecting to my system is actually Joe Random User. However, the
> asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User,
> but now I want you to stay off my system until I allow you in."
pw usermod joe -s /usr/sbin/nologin
DES
--=20
Dag-Erling Sm=F8rgrav - des at des.no
More information about the freebsd-bugs
mailing list