Test for locked account in auth.c (bug #442).

Darren Tucker dtucker at zip.com.au
Tue Jan 14 18:13:34 EST 2003


Damien Miller wrote:
> Darren Tucker wrote:
> I think Ben means the shadow sp_expire field, which I understand means
> "account expiry" rather than "password expiry". This would be IMO a
> nicer way of doing things.

Assuming it has one and ignoring the platform's native account lock?
 
> > It boils down to "does passwd -l lock the account or the password?" From
> > the man pages I've checked the ratio is 2 (account) to 1 (password).
> >
> > So you can default to allowing locked entries (permissive by default) or
> > not allowing them (secure by default[0]).
> 
> That argument would carry more weight for me, but for the fact that
> (AFAIK) SSH has never honored locked passwords as locking pubkey access.

If you s/passwords/accounts/ (see previous messages about how the man
pages describe what we're talking about), and consider the fact some
platforms use the password field as a platform-specific implementation
detail:

* openssh has on AIX since at least 2.2.0p1 via the loginrestrictions()
function.

* ssh-1.2.33 does for AIX, Trusted HP-UX and anything with a password
string equal to "*LK*".  I don't know about later versions.

> This could lead to a whole lot of people who have used locked accounts +
> pubkey access suddenly finding that they can no longer access their
> systems post-upgrade.
> 
> The way out of that would be to add a preference to determine the
> behaviour - but I don't want to add more portable-specific options (In
> fact I want to get rid of the one that is there).

Agreed, I'd rather see it backed out than clutter sshd_config further,
but I still think denying the login is the right thing to do.

> > Martin MOKREJ© has kindly supplied some info about Tru64's
> > -lauthenticate functions so we could drop the ugliest Tru64 cases and
> > have another section at the end of allowed_user() like
> > WITH_AIXAUTHENTICATE.  Then it would look something like
> 
> Shouldn't this be done for Tru64 using SIA anyway?

Maybe, I'm not sure.  I haven't used Tru64 since it was called OSF/1. 
(That should be -lsecurity, BTW).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list