[Bug 442] New: sshd allows login via public-key when account locked

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Nov 24 14:23:29 EST 2002


           Summary: sshd allows login via public-key when account locked
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: security
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: dtucker at zip.com.au

Observed on Redhat and Solaris.

When openssh is configured without PAM, an account that is locked (via passwd 
-l) can still be logged into via public-key authentication.

Although the password field is modified (to "*LK*" on Solaris or with a leading 
"!" on Redhat), allowed_user() does not test for those so if password 
authentication isn't used, the login still succeeds.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list