Test for locked account in auth.c (bug #442).
Darren Tucker
dtucker at zip.com.au
Wed Jan 8 21:12:57 EST 2003
Darren Tucker wrote:
> Damien Miller wrote:
> > How does the following look:
> Proposed change looks OK to me.
Hmm, HP-UX (in non-trusted configuration) uses exactly "*" to denote a
locked password. The attached patch catches this and also adds a
paragraph to sshd.8 explaining what's going on.
There may be other passwd entries that need to be added for other
platforms.
-Daz.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth.c
===================================================================
RCS file: /cvs/openssh/auth.c,v
retrieving revision 1.65
diff -u -r1.65 auth.c
--- auth.c 7 Jan 2003 12:56:00 -0000 1.65
+++ auth.c 8 Jan 2003 10:01:41 -0000
@@ -97,7 +97,9 @@
#endif
/* check for locked account */
- if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
+ if (strcmp(passwd, "*LK*") == 0 || /* Solaris */
+ strcmp(passwd, "*") == 0 || /* HP-UX */
+ passwd[0] == '!') { /* Redhat */
log("User %.100s not allowed because account is locked",
pw->pw_name);
return 0;
Index: sshd.8
===================================================================
RCS file: /cvs/openssh/sshd.8,v
retrieving revision 1.150
diff -u -r1.150 sshd.8
--- sshd.8 25 Sep 2002 02:20:54 -0000 1.150
+++ sshd.8 8 Jan 2003 10:01:42 -0000
@@ -112,6 +112,26 @@
authentication, RSA challenge-response authentication, or password
based authentication.
.Pp
+Regardless of the authentication type, the account is checked to
+ensure that it is accessible. An account is not accessible if it is
+locked, listed in
+.Cm DenyUsers
+or its group is listed in
+.Cm DenyGroups
+\&. An account is considered locked if the passwd entry equals
+.Ql \&*LK\&*
+or
+.Ql \&*
+, or has a leading
+.Ql \&!
+character. If there is a requirement to disable password authentication
+for the account while allowing still public-key, then the passwd field
+should be set to something other than these values (eg
+.Ql NP
+or
+.Ql \&*NP\&*
+).
+.Pp
Rhosts authentication is normally disabled
because it is fundamentally insecure, but can be enabled in the server
configuration file if desired.
More information about the openssh-unix-dev
mailing list