locked account accessable via pubkey auth

Frank Cusack fcusack at fcusack.com
Thu Jan 31 11:00:50 EST 2002


On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller wrote:
> On Tue, 29 Jan 2002, Frank Cusack wrote:
> 
> > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > > maybe this is a silly question ;-) But why is it possible to login on a
> > > > machine with a locked account (passwd -l ) via pubkey-authentication
> > > > (authorized_keys) ?
> > 
> > huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can
> > look into this, unfortunately not within a day or so.
> 
> I don't think it is a bug even. Having accounts with locked passwords, but
> still accessible via pubkey auth is a very useful thing.

I agree, that is useful, but whether or not it's a bug depends on the meaning
of 'passwd -l'.  SUSv2 does not define the passwd command, so I guess this
is implementation-dependent.

On Solaris 8, passwd(8) says -l "Locks password entry for _name_".  It does
not say that it locks the *account*.  So this would seem to be consistent
with pubkey auth still being allowed.  Even so, I would tend to think it
should lock the "account".  I don't know if this list is a good place for
it, but personally I would be interested in hearing arguments for either.

Can someone report on what the HP-UX man page says?  I'd also be interested
to see the man page for HP-UX getspent().  (Another email in this thread
says HP-UX prevents pubkey auth after 'passwd -l'.)

/fc




More information about the openssh-unix-dev mailing list