bin/71147: sshd(8) will allow to log into a locked account

Ruslan Ermilov ru at FreeBSD.org
Tue Aug 31 05:10:45 PDT 2004 

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Ruslan Ermilov <ru at FreeBSD.org>
To: bug-followup at FreeBSD.org
Cc:  
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Tue, 31 Aug 2004 15:07:57 +0300

 Yar asked me to follow up here...
 
 As it turns out, this feature is available only in recent
 OpenSSH versions (I haven't investigated which version it
 first appeared in).  I originally looked at the 4.x version
 of the sshd(8) manpage, and it didn't mention any such
 feature.  In HEAD, OpenSSH provides this useful feature;
 here's a relevant excerpt from the sshd(8) manpage in HEAD:
 
 : Regardless of the authentication type, the account is
 : checked to ensure that it is accessible.  An account is
 : not accessible if it is locked, listed in DenyUsers or
 : its group is listed in DenyGroups .  The definition of
 : a locked account is system dependant. Some platforms have
 : their own account database (eg AIX) and some modify the
 : passwd field ( `*LK*' on Solaris, `*' on HP-UX, containing
 : `Nologin' on Tru64 and a leading `!!' on Linux).  If there
 : is a requirement to disable password authentication for
 : the account while allowing still public-key, then the
 : passwd field should be set to something other than these
 : values (eg `NP' or `*NP*' ).
 
 For FreeBSD, I think the locking type should match the one
 used by pw(8):
 
 : USER LOCKING
 :  The pw utility supports a simple password locking mechanism
 :  for users; it works by prepending the string `*LOCKED*'
 :  to the beginning of the password field in master.passwd
 :  to prevent successful authentication.  The lock and unlock
 :  commands take a user name or uid of the account to lock
 :  or unlock, respectively.  The -V, -C, and -q options as
 :  described above are accepted by these commands.
 
 That would be (in the patch form):
 
 %%%
 Index: configure.ac
 ===================================================================
 RCS file: /home/ncvs/src/crypto/openssh/configure.ac,v
 retrieving revision 1.9
 diff -u -r1.9 configure.ac
 --- configure.ac	20 Apr 2004 09:46:39 -0000	1.9
 +++ configure.ac	31 Aug 2004 12:05:17 -0000
 @@ -264,6 +264,7 @@
  	;;
  *-*-freebsd*)
  	check_for_libcrypt_later=1
 +	AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*")
  	;;
  *-*-bsdi*)
  	AC_DEFINE(SETEUID_BREAKS_SETUID)
 %%%
 
 
 Cheers,
 -- 
 Ruslan Ermilov
 ru at FreeBSD.org
 FreeBSD committer

More information about the freebsd-bugs mailing list