locked account accessable via pubkey auth

Darren Moffat Darren.Moffat at eng.sun.com
Thu Jan 31 04:55:09 EST 2002 

>On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
>> maybe this is a silly question ;-) But why is it possible to login on a
>> machine with a locked account (passwd -l ) via pubkey-authentication
>> (authorized_keys) ?
>
>expired passwords are very different from expired accounts:

which are different to locked accounts.

>if a password is expired the password can longer be used.

correct.  The password can be changed either by the user at login,
r*/telnet/ssh/dtlogin in Solaris support this.  ftp doesn't and can't
due to protocol restrictions.

>if an account is expired the account can longer be used.

correct.  This in Solaris is an absoulte date in time.  The passwd
command is used to set this but we have no easy way to reactivate
the account other than chaning the date to something in the future.

OpenSSH honours this when PAM is used.

>or am I missing something?

A locked account in Solaris is one who's password begins *LK*, this
is what happens when running passwd -l <user>.  *NP* means that the
password wasn't accessible to that user - either passwd.adjunct is
in use for NIS or the NIS+ password table permissions are set so that
only the user can see their password (if it was the user doing the lookup
then it means that they haven't had their AUTH_DH keys registered with the
local keyserv (ie not done a keylogin or had pam_unix run)).

This works because *LK* can't possibly match the hashed password the
user types in when crypt(3c) is used.  But if like OpenSSH you don't
always use pam_authenticate then this doesn't stop the user getting
in if you only call pam_acct_mgmt.

This is fixed in Solaris 9 the pam_unix_account module in Solaris 9 explicitly
checks for the *LK* string so SSH logins with publickey to an account with
*LK* as the first 4 chars of the password field will be denied - which is the
correct behaviour.   

If you wish to disable password based login but do want to have publickey
based login then use NP which is no password (this is what is used for the
"system" accounts that should never have a login password set on them).

An account can also be refused login because it has been idle too long,
this is based on the last login date in lastlog - this is pretty much
useless because it is on a per host basis rather than network wide.

--
Darren J Moffat

More information about the openssh-unix-dev mailing list