Openssh still logs in while passwd is locked
Kevin Steves
kevin at atomicgears.com
Sun May 26 04:26:15 EST 2002
On Wed, May 22, 2002 at 01:12:07PM -0700, Darren Moffat wrote:
> >Using OpenSSH 3.1p1 on a Sun Solaris 7 box, I disabled an account using the
> >'passwd -l ...' command to lock the users password. However, the user can
> >still access the system via ssh. Whilst I could do other things such as
> >moving their .ssh directory, removing their account home directory, etc,
> >etc, is there some 'nicer' way to inform ssh that the account is now locked
> >and thus to not allow them to login?
>
> The pam_unix.so module doesn't check for *LK* in pam_acct_mgmt since it
> was assuming that pam_authenticate() had been called already - in those
> cases it would fail. If however you are using publickey authentication
> rather than going through PAM with a password pam_acct_mgmt is called
> without first going to pam_authenticate().
>
> This has been fixed in the new pam modules for Solaris 9 where
> pam_unix_account.so does an explicit check for *LK* so it is now safe
> to call pam_acct_mgmt() if pam_authenticate() wasn't called.
What else is special besides "*LK*" (I'm wondering about "NP")?
How exactly does ``passwd -sa'' determine LK status? Are there
issues with/without /etc/shadow (I see pwconv(1M) for example)?
More information about the openssh-unix-dev
mailing list