Test for locked account in auth.c (bug #442).
Martin MOKREJŠ
mmokrejs at natur.cuni.cz
Wed Jan 8 21:29:36 EST 2003
On Wed, 8 Jan 2003, Darren Tucker wrote:
> Darren Tucker wrote:
> > Damien Miller wrote:
> > > How does the following look:
> > Proposed change looks OK to me.
>
> Hmm, HP-UX (in non-trusted configuration) uses exactly "*" to denote a
> locked password. The attached patch catches this and also adds a
> paragraph to sshd.8 explaining what's going on.
>
> There may be other passwd entries that need to be added for other
> platforms.
For example OSF1 3.2 == DU4.0 == Tru64-5.X use
:*:
:*gfcXdf83E:
:*Nologin:
:Nologin*:
:Nologin:
in the password filed to denoted locked account. This also applies partly
to C2 security on those systems (when account is locked manually by
admin), it will be detected using this way too. However, the so called
protected password database has special fields to mark locked acconts,
locked them based number of unsuccessfull logins etc. Those cases of
course cannot be detected using any logic interpreting passwd file.
--
Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585
More information about the openssh-unix-dev
mailing list