cvs commit: src/share/man/man5 passwd.5

Ceri Davies ceri at
Tue Sep 20 02:16:32 PDT 2005

On Mon, Sep 19, 2005 at 08:40:17PM +0300, Giorgos Keramidas wrote:
> On 2005-09-19 17:52, Ceri Davies <ceri at> wrote:
> >
> > What I'm getting at is that some operating systems allow a special *FOO
> > string in their (equivalent of) master.passwd file in order to indicate
> > that sshd should not allow users with that string in their entry to log
> > in.
> >
> > For example, Solaris uses the string *NP* to indicate that a user has no
> > password - password authentication is therefore disabled for that user,
> > disallowing su, password-based ssh access, etc.  Cron jobs, key-based
> > auth, etc. continue to work.  It also supports *LK* which indicates that
> > an account is locked: in this case, cron jobs for the user will not be
> > run and ssh access is denied altogether.
> >
> > The ssh bit works because OpenSSH knows that it should be looking for
> > the string *LK* and denying access if it is there.  Search for
> > LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c.
> >
> > What I'm wondering is why OpenSSH doesn't know about *LOCKED*;  previous
> > discussions that I've had indicate that this is because we (the FreeBSD
> > project) haven't decided that *LOCKED* is canonical enough yet.
> Right.  This is exactly why I didn't even attempt to document anything
> to that effect.  I'm not sure what to write about, so I don't write
> something that is wrong :)

Fair enough :)

So does anyone think that feeding this back to the OpenSSH project makes

Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the cvs-src mailing list