Locked account and logging in with public key

[Darren J Moffat]

On Tue, 12 Nov 2002, Osmo Paananen wrote:

> I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled.
>
> It seems that if I use public key authentication I can log in to an
> account that is locked (/etc/shadow has *LK* as password).
> Login is also allowed even if the user does not have a valid shell.
>
> Is this a bug or am I missing something?

It is a Solaris 8 bug that was fixed in Solaris 9 (Sun BugId: 4506972)
when pam_unix was broken into smaller modules.

If tthe password field had *LK* in it the pam_authenticate call would
have failed.  However when using public key pam_authenticate() is not
called only pam_acct_mgmt.  In Solaris 9 the pam_sm_acct_mgmt() in
pam_unix_account.so.1 call checks for *LK* explictly so that even if
pam_authenticate() hadn't been called the account will still be reported
as locked if pam_unix_account is in the PAM stack (which it is by default).

The fix could be backported to Solaris 8 and I believe it will be done
as part of a pending Solaris 8 feature patch - though I can't confirm
this at the moment.

-- 
Darren J Moffat