bin/71147: sshd(8) will allow to log into a locked account
yar at comp.chem.msu.su
Mon Aug 30 06:00:43 PDT 2004
>Synopsis: sshd(8) will allow to log into a locked account
>Arrival-Date: Mon Aug 30 13:00:41 GMT 2004
>Originator: Yar Tikhiy
>Release: FreeBSD 6.0-CURRENT i386
Moscow State University
System: FreeBSD stylish.chem.msu.su 6.0-CURRENT FreeBSD 6.0-CURRENT #1: Fri Aug 27 19:34:38 MSD 2004 root at stylish.chem.msu.su:/usr/obj/usr/src/sys/STYLISH i386
In FreeBSD (and other BSDs,) the well-known way to lock out
a user's account is setting the user's encrypted password to
an asterisk character, `*', in master.passwd. Arguably, one
can also lock out a user by just _prefixing_ the password field
value with `*'. Anyway, sshd(8) will ignore either lock
and allow the user to log in if he authenticates himself by
means other than the Unix password, e.g., using his public key.
1) set up pub-key authentication for a user;
2) lock out the user's account by setting the password field
of the user's record in master.passwd to just an asterisk.
3) try to log into the account via SSH using the user's pub-key;
4) see successful login.
If we forget about PAM for a while, the bug exists because
src/crypto/openssh/configure.ac lacks description of account
locking for FreeBSD. It may be added to the OpenSSH source
tree or to the FreeBSD source tree, but in either case it's
a FreeBSD-specific issue. The fix is as follows: find the
FreeBSD-specific section (search for "freebsd") and add an AC
macro there specifying the lock method. It may be
depending on which "tradition" we decide to stick to.
Why does PAM allows locked users in? That's another issue...
More information about the freebsd-bugs