bin/71147: sshd(8) will allow to log into a locked account
ceri at submonkey.net
Mon Aug 30 09:40:31 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: Ceri Davies <ceri at submonkey.net>
To: Dag-Erling Sm?rgrav <des at des.no>
Cc: FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Mon, 30 Aug 2004 17:39:08 +0100
On Mon, Aug 30, 2004 at 04:20:21PM +0000, Dag-Erling Sm?rgrav wrote:
> The following reply was made to PR bin/71147; it has been noted by GNATS.
> From: des at des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
> To: Yar Tikhiy <yar at comp.chem.msu.su>
> Cc: Ruslan Ermilov <ru at freebsd.org>, FreeBSD-gnats-submit at freebsd.org
> Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
> Date: Mon, 30 Aug 2004 18:11:37 +0200
> Yar Tikhiy <yar at comp.chem.msu.su> writes:
> > There is a lot of ways to check user's identity: public key, Unix
> > password, TACACS+, RADIUS etc. However, we are still in the Unix
> > reality, where there must exist a 1-to-1 correspondence between
> > user's identity and a local account. And the common sense of this
> > Unix reality dictates IMHO that when I'm putting `*' into user's
> > password field of master.passwd, I do mean locking the user out of
> > the system.
> That's a policy decision, not an inherent feature of the underlying
> > In other words: An authentication subsystem guarantees that the user
> > connecting to my system is actually Joe Random User. However, the
> > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User,
> > but now I want you to stay off my system until I allow you in."
> pw usermod joe -s /usr/sbin/nologin
This is arguably what "pw lock joe" should do then.
It certainly sounds like prepending "*LOCKED*" is either incorrect, or
that sshd should be checking for *LOCKED*.
It is not tinfoil, it is my new skin. I am a robot.
More information about the freebsd-bugs