bin/71147: sshd(8) will allow to log into a locked account

[Ceri Davies]

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Ceri Davies <ceri at submonkey.net>
To: Dag-Erling Sm?rgrav <des at des.no>
Cc: FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Mon, 30 Aug 2004 17:39:08 +0100

 On Mon, Aug 30, 2004 at 04:20:21PM +0000, Dag-Erling Sm?rgrav wrote:
 > The following reply was made to PR bin/71147; it has been noted by GNATS.
 > 
 > From: des at des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
 > To: Yar Tikhiy <yar at comp.chem.msu.su>
 > Cc: Ruslan Ermilov <ru at freebsd.org>, FreeBSD-gnats-submit at freebsd.org
 > Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
 > Date: Mon, 30 Aug 2004 18:11:37 +0200
 > 
 >  Yar Tikhiy <yar at comp.chem.msu.su> writes:
 >  > There is a lot of ways to check user's identity: public key, Unix
 >  > password, TACACS+, RADIUS etc.  However, we are still in the Unix
 >  > reality, where there must exist a 1-to-1 correspondence between
 >  > user's identity and a local account.  And the common sense of this
 >  > Unix reality dictates IMHO that when I'm putting `*' into user's
 >  > password field of master.passwd, I do mean locking the user out of
 >  > the system.
 >  
 >  That's a policy decision, not an inherent feature of the underlying
 >  mechanism.
 >  
 >  > In other words: An authentication subsystem guarantees that the user
 >  > connecting to my system is actually Joe Random User.  However, the
 >  > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User,
 >  > but now I want you to stay off my system until I allow you in."
 >  
 >  pw usermod joe -s /usr/sbin/nologin
 
 This is arguably what "pw lock joe" should do then.
 It certainly sounds like prepending "*LOCKED*" is either incorrect, or
 that sshd should be checking for *LOCKED*.
 
 Ceri
 -- 
 It is not tinfoil, it is my new skin.  I am a robot.