bin/71147: sshd(8) will allow to log into a locked account

Ruslan Ermilov ru at
Mon Aug 30 08:00:50 PDT 2004

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Ruslan Ermilov <ru at>
To: Yar Tikhiy <yar at>
Cc: FreeBSD-gnats-submit at, des at
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Mon, 30 Aug 2004 17:59:48 +0300

 On Mon, Aug 30, 2004 at 04:52:54PM +0400, Yar Tikhiy wrote:
 > >Description:
 > 	In FreeBSD (and other BSDs,) the well-known way to lock out
 > 	a user's account is setting the user's encrypted password to
 > 	an asterisk character, `*', in master.passwd.  Arguably, one
 > 	can also lock out a user by just _prefixing_ the password field
 > 	value with `*'.  Anyway, sshd(8) will ignore either lock
 > 	and allow the user to log in if he authenticates himself by
 > 	means other than the Unix password, e.g., using his public key.
 Yes, if sshd(8) is configured accordingly.
 > >Fix:
 > 	If we forget about PAM for a while, the bug exists because
 > 	src/crypto/openssh/ lacks description of account
 > 	locking for FreeBSD.  It may be added to the OpenSSH source
 > 	tree or to the FreeBSD source tree, but in either case it's
 > 	a FreeBSD-specific issue.  The fix is as follows: find the
 > 	FreeBSD-specific section (search for "freebsd") and add an AC
 > 	macro there specifying the lock method.  It may be
 > 	or
 > 	depending on which "tradition" we decide to stick to.
 > 	Why does PAM allows locked users in?  That's another issue...
 PAM does not -- it's the pubkey authentification that does.  If you
 disable public key authentification method in sshd_config(5) (which
 is enabled by default) then only PAM will be used, and no user with
 locked password will be able to log in.
 What you're probably looking for is to set the PubkeyAuthentication
 and RSAAuthentication parameters to "no" in /etc/ssh/sshd_config.
 Ruslan Ermilov
 ru at
 FreeBSD committer

More information about the freebsd-bugs mailing list