locked account accessable via pubkey auth

Lacoss-Arnold, Jason Jason.Lacoss-Arnold at AGEDWARDS.com
Thu Jan 31 00:46:35 EST 2002 

No.  ftp doesn't allow it.  The console doesn't allow it.  The r* commands
would allow it, but we don't allow them for obvious reasons.  But we feel
that the tool we're using to rid ourselves of security holes shouldn't
replicate security holes.
 

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 

-----Original Message-----
From: Dan Kaminsky [mailto:dan at doxpara.com]
Sent: Wednesday, January 30, 2002 7:43
To: Lacoss-Arnold, Jason; 'Damien Miller'; Frank Cusack
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


Without SSH, is there *any* other way to access a password-locked account
than to su in from root?
 
If not, I don't see it as being valid to allow a pubkey "backdoor" by
default.  It comes down to whether the platforms are equating "no password =
no access".  Unless something else has access with no password, we shouldn't
be allowing such.
 
Now, do we generally directly manage passwd/shadow files on Solaris, or do
we usually go through PAM?  Can PAM report an LK password state, so we could
check for it before allowing pubkey?
 
--dan
 
 
 

----- Original Message ----- 
From: Lacoss-Arnold, Jason <mailto:Jason.Lacoss-Arnold at AGEDWARDS.com>  
To: 'Dan Kaminsky' <mailto:dan at doxpara.com>  ; 'Damien Miller'
<mailto:djm at mindrot.org>  ; Frank Cusack <mailto:fcusack at fcusack.com>  
Cc: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at mindrot.org>  ;
Dost,  <mailto:Alexander.Dost at drkw.com> Alexander 
Sent: Wednesday, January 30, 2002 5:26 AM
Subject: RE: locked account accessable via pubkey auth

As an interesting side note, HP-UX used to also have this problem, but I
just tested on an 11.0 trusted HP-UX box and disabling my account in SAM did
actually disable it to ssh.  Unfortunately, we don't have any untrusted
systems, so I can't tell if it's a ramification of the HPs whole tcb
shananigans (their version of shadow files) or if all of HP is similarly
fixed.
 
Also, I'm pretty sure that this behavior in Solaris way predated version 8.
 

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 

-----Original Message-----
From: Dan Kaminsky [mailto:dan at doxpara.com]
Sent: Wednesday, January 30, 2002 7:17
To: Lacoss-Arnold, Jason; 'Damien Miller'; Frank Cusack
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


Since normally it's impossible to access the account of a password-disabled
account, should default behavior on Solaris be to assume password-disabled
means access-disabled?
 
It seems to me that the rest of the Solaris tools assume "no password = no
access".  Perhaps we should as well, and provide a separate configuration
option to override to the useful but non-obvious pubkey-only mode.
 
Thoughts?
 
--Dan

----- Original Message ----- 
From: Lacoss-Arnold, Jason <mailto:Jason.Lacoss-Arnold at AGEDWARDS.com>  
To: 'Damien Miller' <mailto:djm at mindrot.org>  ; Frank
<mailto:fcusack at fcusack.com> Cusack 
Cc: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at mindrot.org>  ;
Dost, Alexander <mailto:Alexander.Dost at drkw.com>  
Sent: Wednesday, January 30, 2002 4:59 AM
Subject: RE: locked account accessable via pubkey auth


No, it's at best a really annoying "feature" but it feels more like a bug.
Basically, it makes it a royal pain in the arse to disable an account when a
user leaves since all of the Solaris tools assume that passwd=*LK* means
that the account is disabled.  Hence, if you actually want to disable the
account you have to first use Sun's tool and additionally either change the
shell to /bin/false or similar, put the user in a group that's listed in
sshd_config's DenyGroups, go wipe out user keys and configs, or some other
kludge.  Kludging sucks.

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 


-----Original Message----- 
From: Damien Miller [ mailto:djm at mindrot.org <mailto:djm at mindrot.org> ] 
Sent: Tuesday, January 29, 2002 22:40 
To: Frank Cusack 
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander 
Subject: Re: locked account accessable via pubkey auth 


On Tue, 29 Jan 2002, Frank Cusack wrote: 

> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote: 
> > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote: 
> > > maybe this is a silly question ;-) But why is it possible to login on
a 
> > > machine with a locked account (passwd -l ) via pubkey-authentication 
> > > (authorized_keys) ? 
> > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this
should not 
> > > happen. 
> > 
> > Check the list archives and you'll find others with the same problem. 
> > Noone has turned up a solution with Solaris 8/PAM yet. 
> 
> huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can 
> look into this, unfortunately not within a day or so. 

I don't think it is a bug even. Having accounts with locked passwords, but 
still accessible via pubkey auth is a very useful thing. 

-d 


_______________________________________________ 
openssh-unix-dev at mindrot.org mailing list 
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
<http://www.mindrot.org/mailman/listinfo/openssh-unix-dev>  



****************************************************************************
***********
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
****************************************************************************
***********




****************************************************************************
***********
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
****************************************************************************
***********




***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020130/2d670479/attachment.html

More information about the openssh-unix-dev mailing list