locked account accessable via pubkey auth

Thu Jan 31 12:02:37 EST 2002

>On Wed, Jan 30, 2002 at 11:23:31AM -0500, Nicolas Williams wrote:
>> Leave things as they are please - do not add a check to see if the
>> password field in the shadow entry is *LK*, that would not be generally
>> useful (think: what if you're using only Kerberos for password
>> validation?).

The you should NOT be marking the account as being locked you should
give it an invalid password entry - eg NP.

>I have to agree with Nico here, don't try to second guess the system
>designers.  On Solaris (up to 8, anyway), it seems that 'passwd -l' is
>NOT intended to lock the account.  Those that want other behaviour should
>take it up with the vendor (or switch vendors).

It has always been a bug.  However until PAM became a public API in
Solaris 2.6 it wasn't possible to augment the authentication so most
apps just did strcmp(crypt(getpass()), sp->sp_pwd) and with *LK* you
couldn't get a success.  

When PAM was introduced the difference between the account being locked
and password being something invalid be came more obvious,
pam_sm_uthenticate() in pam_unix(5) checks the password that the user
offers matches what is stored encrypted in the relevant nameservice.
pam_acct_mgmt() checks the account validity (password aging, expiry
etc).

Most of the time applications call pam_authenticate() first and with
the pam_unix(5) module you never get any further.  sshd, cron are the
obvious exceptions to that. cron was where we found this issue.

It is logged as bug# 4506972 in SunSolve.

As justification from existing documentation I offer:

pam_sm_acct_mgmt(3pam) says:

     The pam_sm_acct_mgmt() function determines  whether  or  not
     the  current  user's  account and password are valid.   This
     includes checking for password and account  expiration,  and
     valid  login  times.  The user in question is specified by a
     prior call to pam_start(), and is referenced by the  authen-
     tication handle, pamh, which is passed as the first argument
     to pam_sm_acct_mgmt(). The following flags may be set in the
     flags field:

     The pam_acct_mgmt() function is called to determine  if  the
     current user's account is valid.  It checks for password and
     account expiration, and verifies access hour restrictions.
     This function is typically called after the user  has  been
     authenticated with pam_authenticate(3PAM).

pam_unix(5) says:

Unix Account Management Module
     The UNIX account management component provides a function to
     perform account management, pam_sm_acct_mgmt(). The function
     retrieves the user's password entry from the  UNIX  password
     database  and  verifies that the user's account and password
     have not expired. The following options may be passed in  to
     the UNIX service module:

shadow(4) defines a valid password:
     password
           A 13-character encrypted password for the user, a lock
           string  to  indicate that the login is not accessible,
           or no string, which shows that there  is  no  password
           for the login.

All Solaris code used *LK* to mean locked.  NIS+ uses *NP* to mean
I'm not giving it to you.

Note that it doesn't actually say what the lock string is until
Solaris 9.

New in Solaris 9 is pam_unix_account(5) which says:

     pam_unix_account provides functionality to the  PAM  account
     management  stack. The function pam(3PAM) function retrieves
     password aging information from the  repositories  specified
     in  nsswitch.conf(4),  and  verifies that the user's account
     and password have not expired.

passwd(1)'s description of the -l flag does still say:
     -l    Locks password entry for name.

Note that it doesn't say it locks the password it says locks the "password
entry", implying it disables access to the account.  I agree this could
be clearer - I'll see what I can do about getting it changed.

--
Darren J Moffat