bin/71147: sshd(8) will allow to log into a locked account
ru at freebsd.org
Mon Aug 30 08:00:50 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: Ruslan Ermilov <ru at freebsd.org>
To: Yar Tikhiy <yar at comp.chem.msu.su>
Cc: FreeBSD-gnats-submit at freebsd.org, des at freebsd.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Mon, 30 Aug 2004 17:59:48 +0300
On Mon, Aug 30, 2004 at 04:52:54PM +0400, Yar Tikhiy wrote:
> In FreeBSD (and other BSDs,) the well-known way to lock out
> a user's account is setting the user's encrypted password to
> an asterisk character, `*', in master.passwd. Arguably, one
> can also lock out a user by just _prefixing_ the password field
> value with `*'. Anyway, sshd(8) will ignore either lock
> and allow the user to log in if he authenticates himself by
> means other than the Unix password, e.g., using his public key.
Yes, if sshd(8) is configured accordingly.
> If we forget about PAM for a while, the bug exists because
> src/crypto/openssh/configure.ac lacks description of account
> locking for FreeBSD. It may be added to the OpenSSH source
> tree or to the FreeBSD source tree, but in either case it's
> a FreeBSD-specific issue. The fix is as follows: find the
> FreeBSD-specific section (search for "freebsd") and add an AC
> macro there specifying the lock method. It may be
> AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> AC_DEFINE(LOCKED_PASSWD_PREFIX, "*")
> depending on which "tradition" we decide to stick to.
> Why does PAM allows locked users in? That's another issue...
PAM does not -- it's the pubkey authentification that does. If you
disable public key authentification method in sshd_config(5) (which
is enabled by default) then only PAM will be used, and no user with
locked password will be able to log in.
What you're probably looking for is to set the PubkeyAuthentication
and RSAAuthentication parameters to "no" in /etc/ssh/sshd_config.
ru at FreeBSD.org
More information about the freebsd-bugs