Test for locked account in auth.c (bug #442).

Darren Tucker dtucker at zip.com.au
Sun Jan 12 13:05:41 EST 2003 

Martin MOKREJ© wrote:
> On Wed, 8 Jan 2003, Darren Tucker wrote:
> > I'm only interested in whatever "passwd -l" or its equivalent does to
> > the passwd entry, so when an admin locks the account, it really is
> > locked.  Any admin that hand-hacks /etc/passwd or equivalent is on their
> > own.
> 
> I did not mean with "manually" hand-hacked. I meant more "by intention
> using standand tools". Those examples and not hand-introduced locks.
> For example, the :*Nologin: and :Nologin*: even fools DEC engineers, so
> the account manager gui used to show lock icon on an account name only in one
> of these two cases. I've checked the manpage and it still descscribes onlu
> "*", but in EXAMPLES section is :Nologin:. It's just incomplete. The above
> is a summary of real life cases.

Ew.  Gotta love consistency.

This patch adds handling of those cases (and takes into account the IRIX
cases as described by Herbert Lewis) and adds a paragraph to sshd.8
describing what happens.

Before anyone reads the comments and says "but Redhat has * too", they
only reflect the results of an admin locking the account.  Unfortunately
there is some overlap (eg Redhat uses "*" for system accounts, while
HP-UX uses "*" for passwd -l).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth.c
===================================================================
RCS file: /cvs/openssh/auth.c,v
retrieving revision 1.66
diff -u -r1.66 auth.c
--- auth.c	9 Jan 2003 04:04:28 -0000	1.66
+++ auth.c	12 Jan 2003 01:47:06 -0000
@@ -100,7 +100,14 @@
 #endif
 
 	/* check for locked account */
-	if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
+	if (strcmp(passwd, "*LK*") == 0 ||	/* Solaris,IRIX */
+	    strcmp(passwd, "*") == 0 ||		/* HP-UX,Tru64 */
+	    strstr(passwd, "Nologin") ||	/* Tru64 */
+#ifdef __osf
+	    /* Tru64 but we also want to allow "passwordless" accounts */
+	    (passwd[0] == '*' && strcmp(passwd, "*NP*") != 0)
+#endif
+	    passwd[0] == '!') {			/* Redhat */
 		log("User %.100s not allowed because account is locked",
 		    pw->pw_name);
 		return 0;
Index: sshd.8
===================================================================
RCS file: /cvs/openssh/sshd.8,v
retrieving revision 1.150
diff -u -r1.150 sshd.8
--- sshd.8	25 Sep 2002 02:20:54 -0000	1.150
+++ sshd.8	12 Jan 2003 01:47:07 -0000
@@ -112,6 +112,30 @@
 authentication, RSA challenge-response authentication, or password
 based authentication.
 .Pp
+Regardless of the authentication type, the account is checked to
+ensure that it is accessible.  An account is not accessible if it is
+locked, listed in
+.Cm DenyUsers
+or its group is listed in
+.Cm DenyGroups
+\&.  An account is considered locked if the passwd entry equals
+.Ql \&*LK\&*
+or
+.Ql \&*
+, contains the string
+.Ql Nologin
+, or has a leading
+.Ql \&!
+(or, on Tru64, a
+.Ql \&*
+) character.  If there is a requirement to disable password authentication
+for the account while allowing still public-key, then the passwd field
+should be set to something other than these values (eg
+.Ql NP
+or
+.Ql \&*NP\&*
+).
+.Pp
 Rhosts authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.

More information about the openssh-unix-dev mailing list