cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c

Ceri Davies ceri at submonkey.net
Thu Apr 26 11:46:41 UTC 2007 

On Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote:
> Hello, Yar Tikhiy!
> 
> On Thu, Apr 26, 2007 at 06:39:01AM +0000, you wrote:
> 
> > yar         2007-04-26 06:39:01 UTC
> > 
> >   FreeBSD src repository
> > 
> >   Modified files:        (Branch: RELENG_6)
> >     lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c 
> >   Log:
> >   MFC:
> >           pam_unix.c      1.52
> >           pam_unix.8      1.13
> >   
> >     In account management, verify whether the account has been locked
> >     with `pw lock', so that it's impossible to log into a locked account
> >     using an alternative authentication mechanism, such as an ssh key.
> >     This change affects only accounts locked with pw(8), i.e., having a
> >     `*LOCKED*' prefix in their password hash field, so people still can
> >     use a different pattern to disable password authentication only.
> 
> Using the very same logic you should also add checking for '*', and for
> any other string, which cannot be in password hash of different
> algorithms. By the way, what if some crypto algorithm, which will be
> used for password hashing can produce hash, which contains substring
> '*LOCKED*' ?

We really need to grow the same mechanism for this as Solaris has.
The way that this works is:

  o If the password hash begins *NP* then the user has no password
     and password authentication will always fail.

  o If the password hash begins *LK* then the account is considered
     locked and all authentication fails.  Also, cron and at will
     not run jobs for that user.

  o Anything else, the account is considered enabled (although of
     course, password checking can still fail if the hash is not
     valid).

I couldn't care less what the strings actually are, but we should
probably use *LOCKED* for the locked case, although I can see that we
may wish to use something else to provide a somewhat backward compatible
route - those who have been using the string *LOCKED* as stated in the
pw manual would get the same behaviour that they do now.

I am willing to work on this, but not without general agreement on the
above.

Ceri
-- 
That must be wonderful!  I don't understand it at all.
                                                  -- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20070426/cc9879df/attachment.pgp

More information about the cvs-src mailing list