locked account accessable via pubkey auth
Frank Cusack
fcusack at fcusack.com
Thu Jan 31 11:00:50 EST 2002
On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller wrote:
> On Tue, 29 Jan 2002, Frank Cusack wrote:
>
> > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > > maybe this is a silly question ;-) But why is it possible to login on a
> > > > machine with a locked account (passwd -l ) via pubkey-authentication
> > > > (authorized_keys) ?
> >
> > huh.. This is definitely a bug; probably in the Solaris PAM libs. I can
> > look into this, unfortunately not within a day or so.
>
> I don't think it is a bug even. Having accounts with locked passwords, but
> still accessible via pubkey auth is a very useful thing.
I agree, that is useful, but whether or not it's a bug depends on the meaning
of 'passwd -l'. SUSv2 does not define the passwd command, so I guess this
is implementation-dependent.
On Solaris 8, passwd(8) says -l "Locks password entry for _name_". It does
not say that it locks the *account*. So this would seem to be consistent
with pubkey auth still being allowed. Even so, I would tend to think it
should lock the "account". I don't know if this list is a good place for
it, but personally I would be interested in hearing arguments for either.
Can someone report on what the HP-UX man page says? I'd also be interested
to see the man page for HP-UX getspent(). (Another email in this thread
says HP-UX prevents pubkey auth after 'passwd -l'.)
/fc
More information about the openssh-unix-dev
mailing list