bin/71147: sshd(8) will allow to log into a locked account

Ceri Davies ceri at
Wed Sep 1 03:40:25 PDT 2004

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Ceri Davies <ceri at>
To: Yar Tikhiy <yar at>
Cc: FreeBSD Gnats Submit <freebsd-gnats-submit at>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 11:32:06 +0100

 On Wed, Sep 01, 2004 at 03:10:22AM +0000, Yar Tikhiy wrote:
 >  However, I feel that the full blown prefix `*LOCKED*' should be
 >  left for pw(8) purposes while just a leading asterisk may be
 >  considered by sshd(8) as a sure sign of an account being locked.
 >  E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
 I don't agree, Yar.  I think that "pw lock" should be the canonical way
 to lock an account, that *LOCKED* should therefore be the string that ssh
 checks for on FreeBSD (pw has been doing this for nearly five years, so
 I believe that this is the defacto standard now), and that any other string
 should be interpreted as "fail password authentication" only.
 Whatever we choose, the string should be passed back to the OpenSSH team
 so that they can check for it.
 And this should all be documented as such, obviously ;-)
 It is not tinfoil, it is my new skin.  I am a robot.

More information about the freebsd-bugs mailing list