locked account accessable via pubkey auth

Dan Kaminsky dan at doxpara.com
Thu Jan 31 00:17:09 EST 2002 

RE: locked account accessable via pubkey authSince normally it's impossible to access the account of a password-disabled account, should default behavior on Solaris be to assume password-disabled means access-disabled?

It seems to me that the rest of the Solaris tools assume "no password = no access".  Perhaps we should as well, and provide a separate configuration option to override to the useful but non-obvious pubkey-only mode.

Thoughts?

--Dan
  ----- Original Message ----- 
  From: Lacoss-Arnold, Jason 
  To: 'Damien Miller' ; Frank Cusack 
  Cc: openssh-unix-dev at mindrot.org ; Dost, Alexander 
  Sent: Wednesday, January 30, 2002 4:59 AM
  Subject: RE: locked account accessable via pubkey auth


  No, it's at best a really annoying "feature" but it feels more like a bug.  Basically, it makes it a royal pain in the arse to disable an account when a user leaves since all of the Solaris tools assume that passwd=*LK* means that the account is disabled.  Hence, if you actually want to disable the account you have to first use Sun's tool and additionally either change the shell to /bin/false or similar, put the user in a group that's listed in sshd_config's DenyGroups, go wipe out user keys and configs, or some other kludge.  Kludging sucks.

  Thanks, 
  --Jason Lacoss-Arnold, Systems Technical Specialist 
  Technical Services - Unix Arch. 
  314-955-8501 



  -----Original Message----- 
  From: Damien Miller [mailto:djm at mindrot.org] 
  Sent: Tuesday, January 29, 2002 22:40 
  To: Frank Cusack 
  Cc: openssh-unix-dev at mindrot.org; Dost, Alexander 
  Subject: Re: locked account accessable via pubkey auth 



  On Tue, 29 Jan 2002, Frank Cusack wrote: 

  > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote: 
  > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote: 
  > > > maybe this is a silly question ;-) But why is it possible to login on a 
  > > > machine with a locked account (passwd -l ) via pubkey-authentication 
  > > > (authorized_keys) ? 
  > > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not 
  > > > happen. 
  > > 
  > > Check the list archives and you'll find others with the same problem. 
  > > Noone has turned up a solution with Solaris 8/PAM yet. 
  > 
  > huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can 
  > look into this, unfortunately not within a day or so. 

  I don't think it is a bug even. Having accounts with locked passwords, but 
  still accessible via pubkey auth is a very useful thing. 

  -d 



  _______________________________________________ 
  openssh-unix-dev at mindrot.org mailing list 
  http://www.mindrot.org/mailman/listinfo/openssh-unix-dev 



  ***************************************************************************************
  WARNING: All e-mail sent to and from this address will be received or
  otherwise recorded by the A.G. Edwards corporate e-mail system and is
  subject to archival, monitoring or review by, and/or disclosure to,
  someone other than the recipient.
  ***************************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020130/83342529/attachment.html

More information about the openssh-unix-dev mailing list