bin/71147: sshd(8) will allow to log into a locked account

[Simon L. Nielsen]

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: "Simon L. Nielsen" <simon at FreeBSD.org>
To: Yar Tikhiy <yar at comp.chem.msu.su>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Sat, 4 Sep 2004 17:13:14 +0200

 --vEao7xgI/oilGqZ+
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote:
 > On Wed, Sep 01, 2004 at 05:06:21PM +0200, Simon L. Nielsen wrote:
 > > On 2004.09.01 03:10:22 +0000, Yar Tikhiy wrote:
 > > > The following reply was made to PR bin/71147; it has been noted by GN=
 ATS.
 > > >=20
 > > >  However, I feel that the full blown prefix `*LOCKED*' should be
 > > >  left for pw(8) purposes while just a leading asterisk may be
 > > >  considered by sshd(8) as a sure sign of an account being locked.
 > > >  E.g., the macro PASSWD_LOCK_PREFIX("*") should be used IMHO.
 > >=20
 > > If you prevent accounts with a "*" from logging in with a ssh key you
 > > will break POLA.  I know that I have several systems where the
 > > password in master.passwd is set to "*" and I then log in via ssh
 > > keys.
 > >=20
 > > Also a "*" in the password file does not prevent a user logging in
 > > when authenticating via Kerberos.
 >=20
 > Will Kerberos authentication codepath check for ``*LOCKED*'' either?
 
 No, I actually think Kerberos telnetd will allow login just as long as
 there is a user account and a valid Lerberos account/ticket.
 
 --=20
 Simon L. Nielsen
 FreeBSD Documentation Team
 
 --vEao7xgI/oilGqZ+
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.5 (FreeBSD)
 
 iD8DBQFBOduKh9pcDSc1mlERAnhvAJ4jmrlBlc9vcB62zwZHTIEeDTlFgwCggyWT
 x6hpYoehlliHSI20PwA+6eU=
 =AAWw
 -----END PGP SIGNATURE-----
 
 --vEao7xgI/oilGqZ+--