bin/71147: sshd(8) will allow to log into a locked account
Yar Tikhiy
yar at comp.chem.msu.su
Sat Sep 4 09:00:50 PDT 2004
The following reply was made to PR bin/71147; it has been noted by GNATS.
From: Yar Tikhiy <yar at comp.chem.msu.su>
To: "Simon L. Nielsen" <simon at FreeBSD.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Sat, 4 Sep 2004 19:52:38 +0400
On Sat, Sep 04, 2004 at 05:13:14PM +0200, Simon L. Nielsen wrote:
> On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote:
> > On Wed, Sep 01, 2004 at 05:06:21PM +0200, Simon L. Nielsen wrote:
> > >
> > > Also a "*" in the password file does not prevent a user logging in
> > > when authenticating via Kerberos.
> >
> > Will Kerberos authentication codepath check for ``*LOCKED*'' either?
>
> No, I actually think Kerberos telnetd will allow login just as long as
> there is a user account and a valid Lerberos account/ticket.
That's a manifestation of the problem I had in mind when opening
this PR. Namely, there is a discrepancy between the existence of
a system-wide policy for locking user accounts on the one hand and
having to implement the said policy in each piece of software
involved on the other hand. If we decide here that the policy does
exist, it will seem reasonable to implement it where it belongs to,
i.e. in setusercontext(). The function may check for ``*LOCKED*''
if invoked with LOGIN_SETLOGIN set and return an error correspondingly.
With this approach, we could leave alone sshd, telnetd, login, su,
X display managers, as well as any logon-related sw using the function.
--
Yar
More information about the freebsd-bugs
mailing list