bin/71147: sshd(8) will allow to log into a locked account
Ruslan Ermilov
ru at FreeBSD.org
Wed Sep 1 04:10:24 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: Ruslan Ermilov <ru at FreeBSD.org>
To: Ceri Davies <ceri at submonkey.net>
Cc: bug-followup at FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 14:03:59 +0300
On Wed, Sep 01, 2004 at 10:40:23AM +0000, Ceri Davies wrote:
> I don't agree, Yar. I think that "pw lock" should be the canonical way
> to lock an account, that *LOCKED* should therefore be the string that ssh
> checks for on FreeBSD (pw has been doing this for nearly five years, so
> I believe that this is the defacto standard now), and that any other string
> should be interpreted as "fail password authentication" only.
>
> Whatever we choose, the string should be passed back to the OpenSSH team
> so that they can check for it.
>
> And this should all be documented as such, obviously ;-)
>
Matching against the `*' prefix will also match the *LOCKED* prefix,
so I don't personally see a big problem here. But *LOCKED* looks
nicer to me, and for anyone editing in vipw(8) anyway.
Cheers,
--
Ruslan Ermilov
ru at FreeBSD.org
FreeBSD committer
More information about the freebsd-bugs
mailing list