bin/71147: sshd(8) will allow to log into a locked account

Yar Tikhiy yar at comp.chem.msu.su
Mon Aug 30 06:00:43 PDT 2004 

>Number:         71147
>Category:       bin
>Synopsis:       sshd(8) will allow to log into a locked account
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 30 13:00:41 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Yar Tikhiy
>Release:        FreeBSD 6.0-CURRENT i386
>Organization:
Moscow State University
>Environment:
System: FreeBSD stylish.chem.msu.su 6.0-CURRENT FreeBSD 6.0-CURRENT #1: Fri Aug 27 19:34:38 MSD 2004 root at stylish.chem.msu.su:/usr/obj/usr/src/sys/STYLISH i386

>Description:
	In FreeBSD (and other BSDs,) the well-known way to lock out
	a user's account is setting the user's encrypted password to
	an asterisk character, `*', in master.passwd.  Arguably, one
	can also lock out a user by just _prefixing_ the password field
	value with `*'.  Anyway, sshd(8) will ignore either lock
	and allow the user to log in if he authenticates himself by
	means other than the Unix password, e.g., using his public key.

>How-To-Repeat:
	1) set up pub-key authentication for a user;

	2) lock out the user's account by setting the password field
	   of the user's record in master.passwd to just an asterisk.

	3) try to log into the account via SSH using the user's pub-key;

	4) see successful login.

>Fix:
	If we forget about PAM for a while, the bug exists because
	src/crypto/openssh/configure.ac lacks description of account
	locking for FreeBSD.  It may be added to the OpenSSH source
	tree or to the FreeBSD source tree, but in either case it's
	a FreeBSD-specific issue.  The fix is as follows: find the
	FreeBSD-specific section (search for "freebsd") and add an AC
	macro there specifying the lock method.  It may be

	AC_DEFINE(LOCKED_PASSWD_STRING, "*")

	or

	AC_DEFINE(LOCKED_PASSWD_PREFIX, "*")

	depending on which "tradition" we decide to stick to.

	Why does PAM allows locked users in?  That's another issue...
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list