locked account accessable via pubkey auth

Lacoss-Arnold, Jason Jason.Lacoss-Arnold at AGEDWARDS.com
Fri Feb 1 00:20:58 EST 2002

HP-UX 11.00
from: man passwd
-l		Lock user account.

from: man getspent
getspent(3C)                                                   getspent(3C)
      getspent, getspnam, setspent, endspent - access secure password
      entries, for trusted systems only.
      #include <shadow.h>
      struct spwd * getspent (void);
      struct spwd * getspnam (const char *name);
      void setspent (void);
      void endspent (void);
      The routines getspent() and getspnam() return a pointer to the next
      secured password entry. Each entry is a spwd structure, declared in
      the shadow.h header file with the following members:
           char  *sp_namp;  /* the user's login name */
           char  *sp_pwdp;  /* the encrypted password for the user */
           long  sp_lstchg; /* # of days from 1/1/70 when passwd was last
modified */
           long  sp_min;    /* min # of days allowed between password
changes */
           long  sp_max;    /* max # of days allowed between password
changes */
           long  sp_warn;   /* # of days before password expires and warning
           long  sp_inact;  /* # of days between account inactive and
disabled */
           long  sp_expire; /* # of days from 1/1/70 when account is locked
           unsigned long   sp_flag;/* currently unused */
      The getspent() routine returns a pointer to the first spwd structure
      when first called. Subsequent calls return pointers to successive spwd
      structures. Repeated calls to getspent() can be used to search all
      entries in the protected password database. The getspnam () routine
      searches password entries from beginning to end until a login name
      matching name is found, and returns a pointer to that entry.
      If the fields corresponding to sp_min, sp_max, sp_lstchg, sp_warn,
      sp_inact, sp_expire, or sp_flag are not specified in the entry, they
      default to -1. If an end-of-file or an error is encountered in reading
      or a format error is detected, these functions return a null pointer
      and; for an error, errno is set to EINVAL.
      The setspent() routine is used to reset access to the secured password
      entries. After setspent() is called, the subsequent call to getspent()
      returns the first secured password entry. This mechanism is used to
      allow repeated searches of the secured password entries. The
      endspent() routine is used to indicate that processing of secured
      password entries is complete.
 Hewlett-Packard Company            - 1 -  HP-UX Release 11.00: October 1997
 getspent(3C)                                                   getspent(3C)
      getspent() is only supported on trusted systems.
      The secured password facility is implemented without the use of the
      /etc/shadow file.  getspent(), getspnam(), setspent(), and endspent()
      read from the trusted system's protected password database
      (/tcb/files/auth/*/*) and not /etc/shadow.  The file /etc/shadow is
      not used in any way by the HP-UX login facility.
      These routines return a null pointer and sets ERRNO to ENOENT if the
      system has not been converted to trusted system.  In all other cases,
      the return value is set similarly to getprpwent().  See getprpwent(3)
      for more information.
      Programs using these routines must be compiled with -lsec.
      /etc/passwd                   System Password file.
      /tcb/files/auth/*/*           Protected password database, for trusted
      getpwent(3C), getprpwent(3), passwd(4).
      getspent(), getspnam(), and fgetspent() return a null pointer on EOF
      or error.
      getspent : SVID3

--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.

-----Original Message-----
From: Frank Cusack [mailto:fcusack at fcusack.com]
Sent: Wednesday, January 30, 2002 18:01
To: Damien Miller
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth

On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller wrote:
> On Tue, 29 Jan 2002, Frank Cusack wrote:
> > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > > maybe this is a silly question ;-) But why is it possible to login
on a
> > > > machine with a locked account (passwd -l ) via pubkey-authentication
> > > > (authorized_keys) ?
> > 
> > huh..  This is definitely a bug; probably in the Solaris PAM libs.  I
> > look into this, unfortunately not within a day or so.
> I don't think it is a bug even. Having accounts with locked passwords, but
> still accessible via pubkey auth is a very useful thing.

I agree, that is useful, but whether or not it's a bug depends on the
of 'passwd -l'.  SUSv2 does not define the passwd command, so I guess this
is implementation-dependent.

On Solaris 8, passwd(8) says -l "Locks password entry for _name_".  It does
not say that it locks the *account*.  So this would seem to be consistent
with pubkey auth still being allowed.  Even so, I would tend to think it
should lock the "account".  I don't know if this list is a good place for
it, but personally I would be interested in hearing arguments for either.

Can someone report on what the HP-UX man page says?  I'd also be interested
to see the man page for HP-UX getspent().  (Another email in this thread
says HP-UX prevents pubkey auth after 'passwd -l'.)


openssh-unix-dev at mindrot.org mailing list

WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020131/cf61d62b/attachment.html 

More information about the openssh-unix-dev mailing list