Test for locked account in auth.c (bug #442).

Darren Tucker dtucker at zip.com.au
Wed Jan 8 22:04:20 EST 2003


Martin MOKREJ© wrote:
[locked accounts]
> For example OSF1 3.2 ==  DU4.0 == Tru64-5.X use
> :*:, :*gfcXdf83E:, :*Nologin:, :Nologin*:, :Nologin:
> in the password filed to denoted locked account. This also applies partly
> to C2 security on those systems (when account is locked manually by
> admin), it will be detected using this way too.

I'm only interested in whatever "passwd -l" or its equivalent does to
the passwd entry, so when an admin locks the account, it really is
locked.  Any admin that hand-hacks /etc/passwd or equivalent is on their
own.

System accounts shouldn't ever have a $HOME/.ssh/authorized_keys file so
they don't matter.

> However, the so called
> protected password database has special fields to mark locked accounts,
> locked them based number of unsuccessful logins etc. Those cases of
> course cannot be detected using any logic interpreting passwd file.

Trusted HP-UX has those too (in /tcb) but the only sane way to use them
seems to be via PAM.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list