bin/71147: sshd(8) will allow to log into a locked account

Yar Tikhiy yar at
Sat Sep 4 09:00:50 PDT 2004

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: Yar Tikhiy <yar at>
To: "Simon L. Nielsen" <simon at>
Cc: freebsd-gnats-submit at
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Sat, 4 Sep 2004 19:52:38 +0400

 On Sat, Sep 04, 2004 at 05:13:14PM +0200, Simon L. Nielsen wrote:
 > On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote:
 > > On Wed, Sep 01, 2004 at 05:06:21PM +0200, Simon L. Nielsen wrote:
 > > > 
 > > > Also a "*" in the password file does not prevent a user logging in
 > > > when authenticating via Kerberos.
 > > 
 > > Will Kerberos authentication codepath check for ``*LOCKED*'' either?
 > No, I actually think Kerberos telnetd will allow login just as long as
 > there is a user account and a valid Lerberos account/ticket.
 That's a manifestation of the problem I had in mind when opening
 this PR.  Namely, there is a discrepancy between the existence of
 a system-wide policy for locking user accounts on the one hand and
 having to implement the said policy in each piece of software
 involved on the other hand.  If we decide here that the policy does
 exist, it will seem reasonable to implement it where it belongs to,
 i.e. in setusercontext().  The function may check for ``*LOCKED*''
 if invoked with LOGIN_SETLOGIN set and return an error correspondingly.
 With this approach, we could leave alone sshd, telnetd, login, su,
 X display managers, as well as any logon-related sw using the function.

More information about the freebsd-bugs mailing list