bin/71147: sshd(8) will allow to log into a locked account

Gleb Smirnoff glebius at
Thu Sep 2 02:12:00 PDT 2004

On Wed, Sep 01, 2004 at 03:10:29PM +0000, Simon L. Nielsen wrote:
S>  On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote:
S>  > The following reply was made to PR bin/71147; it has been noted by GNATS.
S>  >=20
S>  >  However, I feel that the full blown prefix `*LOCKED*' should be
S>  >  left for pw(8) purposes while just a leading asterisk may be
S>  >  considered by sshd(8) as a sure sign of an account being locked.
S>  >  E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
S>  If you prevent accounts with a "*" from logging in with a ssh key you
S>  will break POLA.  I know that I have several systems where the
S>  password in master.passwd is set to "*" and I then log in via ssh
S>  keys.
S>  Also a "*" in the password file does not prevent a user logging in
S>  when authenticating via Kerberos.

I 100% percent agree with Simon. Many many people rely on this. Don't
make them lose access to their boxes after SSH upgrade.

Totus tuus, Glebius.

More information about the freebsd-bugs mailing list