locked account accessable via pubkey auth

Lacoss-Arnold, Jason Jason.Lacoss-Arnold at AGEDWARDS.com
Wed Jan 30 23:59:03 EST 2002


No, it's at best a really annoying "feature" but it feels more like a bug.
Basically, it makes it a royal pain in the arse to disable an account when a
user leaves since all of the Solaris tools assume that passwd=*LK* means
that the account is disabled.  Hence, if you actually want to disable the
account you have to first use Sun's tool and additionally either change the
shell to /bin/false or similar, put the user in a group that's listed in
sshd_config's DenyGroups, go wipe out user keys and configs, or some other
kludge.  Kludging sucks.

Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501


-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org]
Sent: Tuesday, January 29, 2002 22:40
To: Frank Cusack
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


On Tue, 29 Jan 2002, Frank Cusack wrote:

> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > maybe this is a silly question ;-) But why is it possible to login on
a
> > > machine with a locked account (passwd -l ) via pubkey-authentication
> > > (authorized_keys) ?
> > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this
should not
> > > happen.
> > 
> > Check the list archives and you'll find others with the same problem.
> > Noone has turned up a solution with Solaris 8/PAM yet.
> 
> huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can
> look into this, unfortunately not within a day or so.

I don't think it is a bug even. Having accounts with locked passwords, but
still accessible via pubkey auth is a very useful thing.

-d


_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020130/0d7eed4a/attachment.html 


More information about the openssh-unix-dev mailing list