bin/71147: sshd(8) will allow to log into a locked account
Yar Tikhiy
yar at comp.chem.msu.su
Tue Aug 31 20:10:23 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: Yar Tikhiy <yar at comp.chem.msu.su>
To: Dag-Erling Sm?rgrav <des at des.no>
Cc: Ruslan Ermilov <ru at freebsd.org>, FreeBSD-gnats-submit at freebsd.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 07:01:36 +0400
On Mon, Aug 30, 2004 at 06:11:37PM +0200, Dag-Erling Sm?rgrav wrote:
> Yar Tikhiy <yar at comp.chem.msu.su> writes:
> > There is a lot of ways to check user's identity: public key, Unix
> > password, TACACS+, RADIUS etc. However, we are still in the Unix
> > reality, where there must exist a 1-to-1 correspondence between
> > user's identity and a local account. And the common sense of this
> > Unix reality dictates IMHO that when I'm putting `*' into user's
> > password field of master.passwd, I do mean locking the user out of
> > the system.
>
> That's a policy decision, not an inherent feature of the underlying
> mechanism.
Yes, but this policy decision has become the best current practice,
and diverging from it isn't significantly better than renaming `ls'
to `dir' so that users migrating from MS Windows are happy.
> > In other words: An authentication subsystem guarantees that the user
> > connecting to my system is actually Joe Random User. However, the
> > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User,
> > but now I want you to stay off my system until I allow you in."
>
> pw usermod joe -s /usr/sbin/nologin
As it has already been noted in the audit trail, pw(8) implements
account locking of its own, which in fact sticks to the asterisk
locking practice. The native locking of pw(8) is also better than
assigning nologin(8) as the user's shell because the former can be
undone, which makes performing lock/unlock cycles really easy.
Assigning nologin(8) is more to completely disabling an account
than to locking it.
However, I feel that the full blown prefix `*LOCKED*' should be
left for pw(8) purposes while just a leading asterisk may be
considered by sshd(8) as a sure sign of an account being locked.
E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
--
Yar
More information about the freebsd-bugs
mailing list