bin/71147: sshd(8) will allow to log into a locked account
Yar Tikhiy
yar at comp.chem.msu.su
Thu Sep 2 05:50:26 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: Yar Tikhiy <yar at comp.chem.msu.su>
To: "Simon L. Nielsen" <simon at FreeBSD.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Thu, 2 Sep 2004 16:47:27 +0400
On Wed, Sep 01, 2004 at 05:06:21PM +0200, Simon L. Nielsen wrote:
> On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote:
> > The following reply was made to PR bin/71147; it has been noted by GNATS.
> >
> > However, I feel that the full blown prefix `*LOCKED*' should be
> > left for pw(8) purposes while just a leading asterisk may be
> > considered by sshd(8) as a sure sign of an account being locked.
> > E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
>
> If you prevent accounts with a "*" from logging in with a ssh key you
> will break POLA. I know that I have several systems where the
> password in master.passwd is set to "*" and I then log in via ssh
> keys.
>
> Also a "*" in the password file does not prevent a user logging in
> when authenticating via Kerberos.
Will Kerberos authentication codepath check for ``*LOCKED*'' either?
--
Yar
More information about the freebsd-bugs
mailing list