cvs commit: src/share/man/man5 passwd.5

Giorgos Keramidas keramida at
Mon Sep 19 10:40:41 PDT 2005

On 2005-09-19 17:52, Ceri Davies <ceri at> wrote:
> What I'm getting at is that some operating systems allow a special *FOO
> string in their (equivalent of) master.passwd file in order to indicate
> that sshd should not allow users with that string in their entry to log
> in.
> For example, Solaris uses the string *NP* to indicate that a user has no
> password - password authentication is therefore disabled for that user,
> disallowing su, password-based ssh access, etc.  Cron jobs, key-based
> auth, etc. continue to work.  It also supports *LK* which indicates that
> an account is locked: in this case, cron jobs for the user will not be
> run and ssh access is denied altogether.
> The ssh bit works because OpenSSH knows that it should be looking for
> the string *LK* and denying access if it is there.  Search for
> LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c.
> What I'm wondering is why OpenSSH doesn't know about *LOCKED*;  previous
> discussions that I've had indicate that this is because we (the FreeBSD
> project) haven't decided that *LOCKED* is canonical enough yet.

Right.  This is exactly why I didn't even attempt to document anything
to that effect.  I'm not sure what to write about, so I don't write
something that is wrong :)

More information about the cvs-src mailing list