Locked account and logging in with public key

Darren J Moffat Darren.Moffat at Sun.COM
Thu Nov 14 03:28:51 EST 2002

On Wed, 13 Nov 2002, Osmo Paananen wrote:

> Darren J Moffat wrote:
> >On Tue, 12 Nov 2002, Osmo Paananen wrote:
> >
> >>I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled.
> >>It seems that if I use public key authentication I can log in to an
> >>account that is locked (/etc/shadow has *LK* as password).
> >>Login is also allowed even if the user does not have a valid shell.
> >>Is this a bug or am I missing something
> >>
> >
> >It is a Solaris 8 bug that was fixed in Solaris 9 (Sun BugId: 4506972)
> >when pam_unix was broken into smaller modules.
> >
> I don't believe that this is a Solaris 8 issue.  The behavior seems to
> be identical in Solaris 2.6.

You mentioned Solaris 8 as what you were running it is a bug in Solaris 8.
That bug is present in Solaris 2.6 through Solaris 8.

> Could this be a configuration issue?

No it is an issue with how OpenSSH uses PAM and the assumptions that
the pam_unix module had made.  It isn't an OpenSSH bug or a configuration
bug.  It is a bug in pam_unix that can only show up if applications do
not call pam_authenticate but still expect that pam_acct_mgmt will tell
them if the account it locked.

You can create a simple PAM module that implements pam_sm_acct_mgmt()
and checks for the exact string *LK*.  However if the account is locked
by some other means (other than running passwd -l <username>) then that
isn't going to work either.  *LK* is the correct lock string for Solaris,
it may not be correct for other systems that have PAM and a pam_unix or
pam_unix like module.

Darren J Moffat

More information about the openssh-unix-dev mailing list