Test for locked account in auth.c (bug #442).
Darren Tucker
dtucker at zip.com.au
Tue Jan 14 18:13:34 EST 2003
Damien Miller wrote:
> Darren Tucker wrote:
> I think Ben means the shadow sp_expire field, which I understand means
> "account expiry" rather than "password expiry". This would be IMO a
> nicer way of doing things.
Assuming it has one and ignoring the platform's native account lock?
> > It boils down to "does passwd -l lock the account or the password?" From
> > the man pages I've checked the ratio is 2 (account) to 1 (password).
> >
> > So you can default to allowing locked entries (permissive by default) or
> > not allowing them (secure by default[0]).
>
> That argument would carry more weight for me, but for the fact that
> (AFAIK) SSH has never honored locked passwords as locking pubkey access.
If you s/passwords/accounts/ (see previous messages about how the man
pages describe what we're talking about), and consider the fact some
platforms use the password field as a platform-specific implementation
detail:
* openssh has on AIX since at least 2.2.0p1 via the loginrestrictions()
function.
* ssh-1.2.33 does for AIX, Trusted HP-UX and anything with a password
string equal to "*LK*". I don't know about later versions.
> This could lead to a whole lot of people who have used locked accounts +
> pubkey access suddenly finding that they can no longer access their
> systems post-upgrade.
>
> The way out of that would be to add a preference to determine the
> behaviour - but I don't want to add more portable-specific options (In
> fact I want to get rid of the one that is there).
Agreed, I'd rather see it backed out than clutter sshd_config further,
but I still think denying the login is the right thing to do.
> > Martin MOKREJ© has kindly supplied some info about Tru64's
> > -lauthenticate functions so we could drop the ugliest Tru64 cases and
> > have another section at the end of allowed_user() like
> > WITH_AIXAUTHENTICATE. Then it would look something like
>
> Shouldn't this be done for Tru64 using SIA anyway?
Maybe, I'm not sure. I haven't used Tru64 since it was called OSF/1.
(That should be -lsecurity, BTW).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list