Locked account and logging in with public key
Darren J Moffat
Darren.Moffat at Sun.COM
Wed Nov 13 07:41:45 EST 2002
On Tue, 12 Nov 2002, Osmo Paananen wrote:
> I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled.
>
> It seems that if I use public key authentication I can log in to an
> account that is locked (/etc/shadow has *LK* as password).
> Login is also allowed even if the user does not have a valid shell.
>
> Is this a bug or am I missing something?
It is a Solaris 8 bug that was fixed in Solaris 9 (Sun BugId: 4506972)
when pam_unix was broken into smaller modules.
If tthe password field had *LK* in it the pam_authenticate call would
have failed. However when using public key pam_authenticate() is not
called only pam_acct_mgmt. In Solaris 9 the pam_sm_acct_mgmt() in
pam_unix_account.so.1 call checks for *LK* explictly so that even if
pam_authenticate() hadn't been called the account will still be reported
as locked if pam_unix_account is in the PAM stack (which it is by default).
The fix could be backported to Solaris 8 and I believe it will be done
as part of a pending Solaris 8 feature patch - though I can't confirm
this at the moment.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list