bin/71147: sshd(8) will allow to log into a locked account
Gleb Smirnoff
glebius at freebsd.org
Thu Sep 2 02:12:00 PDT 2004
On Wed, Sep 01, 2004 at 03:10:29PM +0000, Simon L. Nielsen wrote:
S> On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote:
S> > The following reply was made to PR bin/71147; it has been noted by GNATS.
S> >=20
S> > However, I feel that the full blown prefix `*LOCKED*' should be
S> > left for pw(8) purposes while just a leading asterisk may be
S> > considered by sshd(8) as a sure sign of an account being locked.
S> > E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
S>
S> If you prevent accounts with a "*" from logging in with a ssh key you
S> will break POLA. I know that I have several systems where the
S> password in master.passwd is set to "*" and I then log in via ssh
S> keys.
S>
S> Also a "*" in the password file does not prevent a user logging in
S> when authenticating via Kerberos.
I 100% percent agree with Simon. Many many people rely on this. Don't
make them lose access to their boxes after SSH upgrade.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
More information about the freebsd-bugs
mailing list