Test for locked account in auth.c (bug #442).

Darren Tucker dtucker at zip.com.au
Tue Jan 14 09:25:25 EST 2003 

Ben Lindstrom wrote:
> On Mon, 13 Jan 2003, Darren Tucker wrote:
> > Damien Miller wrote:
> > > Kevin Steves wrote:
> > > > i just wonder if we really want to attempt all these checks.  if you
> > > > lock a user's password but leave the authorized_keys file permitting
> > > > access is the account locked?  there's a split in opinion on that i
> > > > think.
> >
> >       That's the crux of the issue.  I recently had to disable an account
> > (normally we just delete 'em) and I realized that sshd would probably
> > still allow public-key auth.  I had to check the code to be sure, hence
> > the bug and patch.
> 
> I think password disabling via expired passwords would be a better way.
> OpenBSD by default supports this behavior so it is consistant and I know
> shadow and PAM systems support it.

You mean account disabling via expired account?  If you use an expired
password to lock an account you won't be able to use password expiry
for, well, making people change their passwords.

Some platforms (eg HP-UX in non-trusted mode) have a concept of locked
accounts but don't have password aging or account expiry.

It boils down to "does passwd -l lock the account or the password?" From
the man pages I've checked the ratio is 2 (account) to 1 (password).

So you can default to allowing locked entries (permissive by default) or
not allowing them (secure by default[0]).

Martin MOKREJ© has kindly supplied some info about Tru64's
-lauthenticate functions so we could drop the ugliest Tru64 cases and
have another section at the end of allowed_user() like
WITH_AIXAUTHENTICATE.  Then it would look something like

int allowed_user(...
        /* check for locked account
         * "*LK*"       Solaris, IRIX
         * "*"          HP-UX, Tru64
         * leading "!"  Redhat
         */
        if (passwd && (strcmp(passwd, "*LK*") == 0 ||
            strcmp(passwd, "*") == 0 || passwd[0] == '!')) {
                log("User %.100s not allowed because account is locked",
                    pw->pw_name);
                return 0;
        }


[0] Hey, they almost sounds like a motto.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list