Openssh still logs in while passwd is locked

Darren Moffat Darren.Moffat at Sun.COM
Thu May 23 06:12:07 EST 2002


>Using OpenSSH 3.1p1 on a Sun Solaris 7 box, I disabled an account using the
>'passwd -l ...' command to lock the users password. However, the user can
>still access the system via ssh. Whilst I could do other things such as
>moving their .ssh directory, removing their account home directory, etc,
>etc, is there some 'nicer' way to inform ssh that the account is now locked
>and thus to not allow them to login?

The pam_unix.so module doesn't check for *LK* in pam_acct_mgmt since it
was assuming that pam_authenticate() had been called already - in those
cases it would fail.  If however you are using publickey authentication
rather than going through PAM with a password pam_acct_mgmt is called
without first going to pam_authenticate().

This has been fixed in the new pam modules for Solaris 9 where 
pam_unix_account.so does an explicit check for *LK* so it is now safe
to call pam_acct_mgmt() if pam_authenticate() wasn't called.

I would say that this is a bug in pam_unix.so on Solaris 2.6 onwards,
you should log a call with Sun Enterprise Services.  I would recommend
stating the bug as follows:
	pam_sm_acct_mgmt() in pam_unix.so.1 does not check for the users
	password being the lockstring (*LK*).  This has already been fixed
	in Solaris 9 pam_unix_account.so and I would like a similar fix
	applied to pam_unix.so.1 for Solaris 7 onwards.

--
Darren J Moffat




More information about the openssh-unix-dev mailing list