[Bug 442] New: sshd allows login via public-key when account locked
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Nov 24 14:23:29 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=442
Summary: sshd allows login via public-key when account locked
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: dtucker at zip.com.au
Observed on Redhat and Solaris.
When openssh is configured without PAM, an account that is locked (via passwd
-l) can still be logged into via public-key authentication.
Although the password field is modified (to "*LK*" on Solaris or with a leading
"!" on Redhat), allowed_user() does not test for those so if password
authentication isn't used, the login still succeeds.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list