Test for locked account in auth.c (bug #442).Z
Darren J Moffat
Darren.Moffat at Sun.COM
Tue Jan 14 15:34:51 EST 2003
On Mon, 13 Jan 2003, Kevin Steves wrote:
> On Mon, Jan 13, 2003 at 08:59:17PM +1100, Darren Tucker wrote:
> > > If we simplify to the point of 'strlen(passwd) < 13'
> >
> > That is precisely what I was trying to avoid as it would stop valid use
> > of public-key only authentication via existing no-password strings (eg
> > "NP" on Solaris).
>
> ah, i somehow missed that. i'm not sure that differentiation is worth
> the effort. in the solaris case, ``passwd -sa'' displays both cases
> as ``LK''.
That is because the code for passwd -sa uses strlen(passwd) < 13 as the
check. IMO that is a bug in passwd -sa output, in fact I've been trying
to find the time to fix this in passwd but haven't yet come up with a
better algorithm.
As many people have noticed Solaris replaces the password with *LK* when
running passwd -l. However the default /etc/shadow file has some accounts
with "NP" meaning no password. There is another special string which is
"*NP*", the only way you get this is if you are running NIS+ with very
strick passwd.org_dir table permissions, such that you require the user
to first authenticate with the AUTH_DH RPC keys (if that fails you get
back "*NP*".
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list