bin/71147: sshd(8) will allow to log into a locked account

Yar Tikhiy yar at
Tue Aug 31 20:10:23 PDT 2004

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Yar Tikhiy <yar at>
To: Dag-Erling Sm?rgrav <des at>
Cc: Ruslan Ermilov <ru at>, FreeBSD-gnats-submit at
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 07:01:36 +0400

 On Mon, Aug 30, 2004 at 06:11:37PM +0200, Dag-Erling Sm?rgrav wrote:
 > Yar Tikhiy <yar at> writes:
 > > There is a lot of ways to check user's identity: public key, Unix
 > > password, TACACS+, RADIUS etc.  However, we are still in the Unix
 > > reality, where there must exist a 1-to-1 correspondence between
 > > user's identity and a local account.  And the common sense of this
 > > Unix reality dictates IMHO that when I'm putting `*' into user's
 > > password field of master.passwd, I do mean locking the user out of
 > > the system.
 > That's a policy decision, not an inherent feature of the underlying
 > mechanism.
 Yes, but this policy decision has become the best current practice,
 and diverging from it isn't significantly better than renaming `ls'
 to `dir' so that users migrating from MS Windows are happy.
 > > In other words: An authentication subsystem guarantees that the user
 > > connecting to my system is actually Joe Random User.  However, the
 > > asterisk is a _well-known_ way to tell, "OK, you've proven to be J.R.User,
 > > but now I want you to stay off my system until I allow you in."
 > pw usermod joe -s /usr/sbin/nologin
 As it has already been noted in the audit trail, pw(8) implements
 account locking of its own, which in fact sticks to the asterisk
 locking practice.  The native locking of pw(8) is also better than
 assigning nologin(8) as the user's shell because the former can be
 undone, which makes performing lock/unlock cycles really easy.
 Assigning nologin(8) is more to completely disabling an account
 than to locking it.
 However, I feel that the full blown prefix `*LOCKED*' should be
 left for pw(8) purposes while just a leading asterisk may be
 considered by sshd(8) as a sure sign of an account being locked.
 E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.

More information about the freebsd-bugs mailing list