bin/71147: sshd(8) will allow to log into a locked account
Simon L. Nielsen
simon at FreeBSD.org
Wed Sep 1 08:10:29 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: "Simon L. Nielsen" <simon at FreeBSD.org>
To: Yar Tikhiy <yar at comp.chem.msu.su>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Wed, 1 Sep 2004 17:06:21 +0200
--IiVenqGWf+H9Y6IX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote:
> The following reply was made to PR bin/71147; it has been noted by GNATS.
>=20
> However, I feel that the full blown prefix `*LOCKED*' should be
> left for pw(8) purposes while just a leading asterisk may be
> considered by sshd(8) as a sure sign of an account being locked.
> E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
If you prevent accounts with a "*" from logging in with a ssh key you
will break POLA. I know that I have several systems where the
password in master.passwd is set to "*" and I then log in via ssh
keys.
Also a "*" in the password file does not prevent a user logging in
when authenticating via Kerberos.
--=20
Simon L. Nielsen
FreeBSD Documentation Team
--IiVenqGWf+H9Y6IX
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)
iD8DBQFBNeVth9pcDSc1mlERAry9AJ9e/YuimUR2/MdQZTl32tw5f8i1UgCgrAOi
UvI51SjxveTY26yrQ3bEwYg=
=dJ0F
-----END PGP SIGNATURE-----
--IiVenqGWf+H9Y6IX--
More information about the freebsd-bugs
mailing list