Test for locked account in auth.c (bug #442).

[Ben Lindstrom]

On Tue, 14 Jan 2003, Darren Tucker wrote:

> Ben Lindstrom wrote:
> > On Mon, 13 Jan 2003, Darren Tucker wrote:
> > > Damien Miller wrote:
> > > > Kevin Steves wrote:
> > > > > i just wonder if we really want to attempt all these checks.  if you
> > > > > lock a user's password but leave the authorized_keys file permitting
> > > > > access is the account locked?  there's a split in opinion on that i
> > > > > think.
> > >
> > >       That's the crux of the issue.  I recently had to disable an account
> > > (normally we just delete 'em) and I realized that sshd would probably
> > > still allow public-key auth.  I had to check the code to be sure, hence
> > > the bug and patch.
> >
> > I think password disabling via expired passwords would be a better way.
> > OpenBSD by default supports this behavior so it is consistant and I know
> > shadow and PAM systems support it.
>
> You mean account disabling via expired account?  If you use an expired
> password to lock an account you won't be able to use password expiry
> for, well, making people change their passwords.
>

Password expiring should have two settings (works under OpenBSD with a few
hacks).  Expired by still valid account, and expired and locked.

The latter normally is set by saying 'person has not changed their
password for 4 days.  Therefor the account is now locked until the admin
unlocks it'.

So locking an account is just setting the expiried beyond the latter date.


> Some platforms (eg HP-UX in non-trusted mode) have a concept of locked
> accounts but don't have password aging or account expiry.
>
> It boils down to "does passwd -l lock the account or the password?" From
> the man pages I've checked the ratio is 2 (account) to 1 (password).
>
> So you can default to allowing locked entries (permissive by default) or
> not allowing them (secure by default[0]).
>
> Martin MOKREJ© has kindly supplied some info about Tru64's
> -lauthenticate functions so we could drop the ugliest Tru64 cases and
> have another section at the end of allowed_user() like
> WITH_AIXAUTHENTICATE.  Then it would look something like
>
> int allowed_user(...
>         /* check for locked account
>          * "*LK*"       Solaris, IRIX
>          * "*"          HP-UX, Tru64
>          * leading "!"  Redhat
>          */
>         if (passwd && (strcmp(passwd, "*LK*") == 0 ||
>             strcmp(passwd, "*") == 0 || passwd[0] == '!')) {
>                 log("User %.100s not allowed because account is locked",
>                     pw->pw_name);
>                 return 0;
>         }
>
>
> [0] Hey, they almost sounds like a motto.
>

Still the question is we don't current support such code in OpenBSD tree.
Which is a change in how the application works.

NetBSD/FreeBSD/OpenBSD does not support 'passwd -l' style locking.  It is
just an expiration vs valid password test.  I can't track down my BSD/OS
contact (she is more than likely held up doing kernel stuff) so I don't
know of BSD/OS is the same way.

- Ben