bin/71147: sshd(8) will allow to log into a locked account
ceri at submonkey.net
Wed Sep 1 03:40:25 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: Ceri Davies <ceri at submonkey.net>
To: Yar Tikhiy <yar at comp.chem.msu.su>
Cc: FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 11:32:06 +0100
On Wed, Sep 01, 2004 at 03:10:22AM +0000, Yar Tikhiy wrote:
> However, I feel that the full blown prefix `*LOCKED*' should be
> left for pw(8) purposes while just a leading asterisk may be
> considered by sshd(8) as a sure sign of an account being locked.
> E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
I don't agree, Yar. I think that "pw lock" should be the canonical way
to lock an account, that *LOCKED* should therefore be the string that ssh
checks for on FreeBSD (pw has been doing this for nearly five years, so
I believe that this is the defacto standard now), and that any other string
should be interpreted as "fail password authentication" only.
Whatever we choose, the string should be passed back to the OpenSSH team
so that they can check for it.
And this should all be documented as such, obviously ;-)
It is not tinfoil, it is my new skin. I am a robot.
More information about the freebsd-bugs