locked account accessable via pubkey auth
Lacoss-Arnold, Jason
Jason.Lacoss-Arnold at AGEDWARDS.com
Fri Feb 1 00:20:58 EST 2002
HP-UX 11.00
from: man passwd
-l Lock user account.
from: man getspent
getspent(3C) getspent(3C)
NAME
getspent, getspnam, setspent, endspent - access secure password
entries, for trusted systems only.
SYNOPSIS
#include <shadow.h>
struct spwd * getspent (void);
struct spwd * getspnam (const char *name);
void setspent (void);
void endspent (void);
DESCRIPTION
The routines getspent() and getspnam() return a pointer to the next
secured password entry. Each entry is a spwd structure, declared in
the shadow.h header file with the following members:
char *sp_namp; /* the user's login name */
char *sp_pwdp; /* the encrypted password for the user */
long sp_lstchg; /* # of days from 1/1/70 when passwd was last
modified */
long sp_min; /* min # of days allowed between password
changes */
long sp_max; /* max # of days allowed between password
changes */
long sp_warn; /* # of days before password expires and warning
issued*/
long sp_inact; /* # of days between account inactive and
disabled */
long sp_expire; /* # of days from 1/1/70 when account is locked
*/
unsigned long sp_flag;/* currently unused */
The getspent() routine returns a pointer to the first spwd structure
when first called. Subsequent calls return pointers to successive spwd
structures. Repeated calls to getspent() can be used to search all
entries in the protected password database. The getspnam () routine
searches password entries from beginning to end until a login name
matching name is found, and returns a pointer to that entry.
If the fields corresponding to sp_min, sp_max, sp_lstchg, sp_warn,
sp_inact, sp_expire, or sp_flag are not specified in the entry, they
default to -1. If an end-of-file or an error is encountered in reading
or a format error is detected, these functions return a null pointer
and; for an error, errno is set to EINVAL.
The setspent() routine is used to reset access to the secured password
entries. After setspent() is called, the subsequent call to getspent()
returns the first secured password entry. This mechanism is used to
allow repeated searches of the secured password entries. The
endspent() routine is used to indicate that processing of secured
password entries is complete.
Hewlett-Packard Company - 1 - HP-UX Release 11.00: October 1997
getspent(3C) getspent(3C)
getspent() is only supported on trusted systems.
The secured password facility is implemented without the use of the
/etc/shadow file. getspent(), getspnam(), setspent(), and endspent()
read from the trusted system's protected password database
(/tcb/files/auth/*/*) and not /etc/shadow. The file /etc/shadow is
not used in any way by the HP-UX login facility.
These routines return a null pointer and sets ERRNO to ENOENT if the
system has not been converted to trusted system. In all other cases,
the return value is set similarly to getprpwent(). See getprpwent(3)
for more information.
Programs using these routines must be compiled with -lsec.
FILES
/etc/passwd System Password file.
/tcb/files/auth/*/* Protected password database, for trusted
systems.
SEE ALSO
getpwent(3C), getprpwent(3), passwd(4).
DIAGNOSTICS
getspent(), getspnam(), and fgetspent() return a null pointer on EOF
or error.
STANDARDS CONFORMANCE
getspent : SVID3
Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501
-----Original Message-----
From: Frank Cusack [mailto:fcusack at fcusack.com]
Sent: Wednesday, January 30, 2002 18:01
To: Damien Miller
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth
On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller wrote:
> On Tue, 29 Jan 2002, Frank Cusack wrote:
>
> > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > > maybe this is a silly question ;-) But why is it possible to login
on a
> > > > machine with a locked account (passwd -l ) via pubkey-authentication
> > > > (authorized_keys) ?
> >
> > huh.. This is definitely a bug; probably in the Solaris PAM libs. I
can
> > look into this, unfortunately not within a day or so.
>
> I don't think it is a bug even. Having accounts with locked passwords, but
> still accessible via pubkey auth is a very useful thing.
I agree, that is useful, but whether or not it's a bug depends on the
meaning
of 'passwd -l'. SUSv2 does not define the passwd command, so I guess this
is implementation-dependent.
On Solaris 8, passwd(8) says -l "Locks password entry for _name_". It does
not say that it locks the *account*. So this would seem to be consistent
with pubkey auth still being allowed. Even so, I would tend to think it
should lock the "account". I don't know if this list is a good place for
it, but personally I would be interested in hearing arguments for either.
Can someone report on what the HP-UX man page says? I'd also be interested
to see the man page for HP-UX getspent(). (Another email in this thread
says HP-UX prevents pubkey auth after 'passwd -l'.)
/fc
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
***************************************************************************************
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020131/cf61d62b/attachment.html
More information about the openssh-unix-dev
mailing list