locked account accessable via pubkey auth

Tim Rice tim at multitalents.net
Thu Jan 31 13:32:34 EST 2002 

On Wed, 30 Jan 2002, Frank Cusack wrote:

> On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller wrote:
> > On Tue, 29 Jan 2002, Frank Cusack wrote:
> >
> > > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > > > maybe this is a silly question ;-) But why is it possible to login on a
> > > > > machine with a locked account (passwd -l ) via pubkey-authentication
> > > > > (authorized_keys) ?
> > >
> > > huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can
> > > look into this, unfortunately not within a day or so.
> >
> > I don't think it is a bug even. Having accounts with locked passwords, but
> > still accessible via pubkey auth is a very useful thing.
>
> I agree, that is useful, but whether or not it's a bug depends on the meaning
> of 'passwd -l'.  SUSv2 does not define the passwd command, so I guess this
> is implementation-dependent.
>
> On Solaris 8, passwd(8) says -l "Locks password entry for _name_".  It does
> not say that it locks the *account*.  So this would seem to be consistent
> with pubkey auth still being allowed.  Even so, I would tend to think it
> should lock the "account".  I don't know if this list is a good place for
> it, but personally I would be interested in hearing arguments for either.
>
> Can someone report on what the HP-UX man page says?  I'd also be interested
> to see the man page for HP-UX getspent().  (Another email in this thread
> says HP-UX prevents pubkey auth after 'passwd -l'.)

I don't have HP-UX but here are a few other platforms.

SCO
    -l        Lock user name out of the system by applying an administrative
              lock; only system administrators may do this and they must
              specify name.

    -u        Remove any administrative lock applied to user name; only sys-
              tem administrators may do this and they must specify name.


Caldera OpenLinux 3.1
   Account maintenance
       User accounts may be locked and unlocked with the  -l  and
       -u  flags.   The -l option disables an account by changing
       the  password  to  a  value  which  matches  no   possible
       encrypted  value.   The -u option re-enables an account by
       changing the password back to its previous value.  The  -d
       option deletes the password of an account (be careful).

UnixWare/OpenUnix
            -l        Lock the password entry for login_name.


>
> /fc
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

More information about the openssh-unix-dev mailing list