Test for locked account in auth.c (bug #442).
Ben Lindstrom
mouring at etoh.eviladmin.org
Mon Jan 13 19:55:18 EST 2003
On Mon, 13 Jan 2003, Darren Tucker wrote:
> Lee Eakin wrote:
> > If we simplify to the point of 'strlen(passwd) < 13'
>
> That is precisely what I was trying to avoid as it would stop valid use
> of public-key only authentication via existing no-password strings (eg
> "NP" on Solaris).
>
> Damien Miller wrote:
> > Kevin Steves wrote:
> > > i just wonder if we really want to attempt all these checks. if you
> > > lock a user's password but leave the authorized_keys file permitting
> > > access is the account locked? there's a split in opinion on that i
> > > think.
>
> That's the crux of the issue. I recently had to disable an account
> (normally we just delete 'em) and I realized that sshd would probably
> still allow public-key auth. I had to check the code to be sure, hence
> the bug and patch.
>
I think password disabling via expired passwords would be a better way.
OpenBSD by default supports this behavior so it is consistant and I know
shadow and PAM systems support it.
- Ben
More information about the openssh-unix-dev
mailing list