bin/71147: sshd(8) will allow to log into a locked account

Dag-Erling Smørgrav des at
Mon Aug 30 09:20:22 PDT 2004

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: des at (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
To: Yar Tikhiy <yar at>
Cc: Ruslan Ermilov <ru at>, FreeBSD-gnats-submit at
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Mon, 30 Aug 2004 18:11:37 +0200

 Yar Tikhiy <yar at> writes:
 > There is a lot of ways to check user's identity: public key, Unix
 > password, TACACS+, RADIUS etc.  However, we are still in the Unix
 > reality, where there must exist a 1-to-1 correspondence between
 > user's identity and a local account.  And the common sense of this
 > Unix reality dictates IMHO that when I'm putting `*' into user's
 > password field of master.passwd, I do mean locking the user out of
 > the system.
 That's a policy decision, not an inherent feature of the underlying
 > In other words: An authentication subsystem guarantees that the user
 > connecting to my system is actually Joe Random User.  However, the
 > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User,
 > but now I want you to stay off my system until I allow you in."
 pw usermod joe -s /usr/sbin/nologin
 Dag-Erling Sm=F8rgrav - des at

More information about the freebsd-bugs mailing list