Test for locked account in auth.c (bug #442).
Kevin Steves
stevesk at pobox.com
Mon Jan 13 05:14:29 EST 2003
On Sun, Jan 12, 2003 at 09:59:52PM +1100, Darren Tucker wrote:
> /* check for locked account */
> - if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
> + if (passwd && (strcmp(passwd, "*LK*") == 0 || /* Solaris,IRIX */
> + strcmp(passwd, "*") == 0 || /* HP-UX,Tru64 */
> + strstr(passwd, "Nologin") || /* Tru64 */
> +#ifdef __osf
> + /* Tru64 but we also want to allow "passwordless" accounts */
> + (passwd[0] == '*' && strcmp(passwd, "*NP*") != 0) ||
> +#endif
> + passwd[0] == '!')) { /* Redhat */
> log("User %.100s not allowed because account is locked",
> pw->pw_name);
> return 0;
i just wonder if we really want to attempt all these checks. if you
lock a user's password but leave the authorized_keys file permitting
access is the account locked? there's a split in opinion on that i
think.
also, it may be simpler to check for strlen(passwd) < 13, as it may be
safe to always consider that an invalid password. maybe.
More information about the openssh-unix-dev
mailing list