bin/71147: sshd(8) will allow to log into a locked account

Simon L. Nielsen simon at
Sat Sep 4 12:10:28 PDT 2004

The following reply was made to PR bin/71147; it has been noted by GNATS.

From: "Simon L. Nielsen" <simon at>
To: Yar Tikhiy <yar at>
Cc: freebsd-gnats-submit at
Subject: Re: bin/71147: sshd(8) will allow to log into a locked account
Date: Sat, 4 Sep 2004 21:03:02 +0200

 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 On 2004.09.04 19:52:38 +0400, Yar Tikhiy wrote:
 > On Sat, Sep 04, 2004 at 05:13:14PM +0200, Simon L. Nielsen wrote:
 > > On 2004.09.02 16:47:27 +0400, Yar Tikhiy wrote:
 > > >=20
 > > > Will Kerberos authentication codepath check for ``*LOCKED*'' either?
 > >=20
 > > No, I actually think Kerberos telnetd will allow login just as long as
 > > there is a user account and a valid Lerberos account/ticket.
 > That's a manifestation of the problem I had in mind when opening
 > this PR.  Namely, there is a discrepancy between the existence of
 > a system-wide policy for locking user accounts on the one hand and
 > having to implement the said policy in each piece of software
 > involved on the other hand.  If we decide here that the policy does
 > exist, it will seem reasonable to implement it where it belongs to,
 > i.e. in setusercontext().  The function may check for ``*LOCKED*''
 > if invoked with LOGIN_SETLOGIN set and return an error correspondingly.
 > With this approach, we could leave alone sshd, telnetd, login, su,
 > X display managers, as well as any logon-related sw using the function.
 While I have no idea if setusercontext() is the right place to check,
 something like what you propose sounds like a very good idea to me so
 there is consistent behavior.
 Simon L. Nielsen
 FreeBSD Documentation Team
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 Version: GnuPG v1.2.5 (FreeBSD)

More information about the freebsd-bugs mailing list