<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: locked account accessable via pubkey auth</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2712.300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Without SSH, is there *any* other way to access a
password-locked account than to su in from root?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>If not, I don't see it as being valid to allow a
pubkey "backdoor" by default. It comes down to whether the platforms are
equating "no password = no access". Unless something else has access with
no password, we shouldn't be allowing such.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Now, do we generally directly manage passwd/shadow
files on Solaris, or do we usually go through PAM? Can PAM report an LK
password state, so we could check for it before allowing pubkey?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--dan</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Jason.Lacoss-Arnold@AGEDWARDS.com
href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com">Lacoss-Arnold, Jason</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=dan@doxpara.com
href="mailto:dan@doxpara.com">'Dan Kaminsky'</A> ; <A title=djm@mindrot.org
href="mailto:djm@mindrot.org">'Damien Miller'</A> ; <A
title=fcusack@fcusack.com href="mailto:fcusack@fcusack.com">Frank Cusack</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=openssh-unix-dev@mindrot.org
href="mailto:openssh-unix-dev@mindrot.org">openssh-unix-dev@mindrot.org</A> ;
<A title=Alexander.Dost@drkw.com href="mailto:Alexander.Dost@drkw.com">Dost,
Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002 5:26
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account accessable
via pubkey auth</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=903432013-30012002>As
an interesting side note, HP-UX used to also have this problem, but I just
tested on an 11.0 trusted HP-UX box and disabling my account in SAM did
actually disable it to ssh. Unfortunately, we don't have any untrusted
systems, so I can't tell if it's a ramification of the HPs whole tcb
shananigans (their version of shadow files) or if all of HP is similarly
fixed.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=903432013-30012002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=903432013-30012002>Also, I'm pretty sure that this behavior in Solaris
way predated version 8.</SPAN></FONT></DIV>
<DIV> </DIV>
<P><FONT face=Tahoma size=2>Thanks,</FONT> <BR><I><FONT face=Tahoma
size=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT></I>
<BR><I><FONT face=Tahoma size=2>Technical Services - Unix Arch.</FONT></I>
<BR><I><FONT face=Tahoma size=2>314-955-8501</FONT></I> </P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Dan Kaminsky
[mailto:dan@doxpara.com]<BR><B>Sent:</B> Wednesday, January 30, 2002
7:17<BR><B>To:</B> Lacoss-Arnold, Jason; 'Damien Miller'; Frank
Cusack<BR><B>Cc:</B> openssh-unix-dev@mindrot.org; Dost,
Alexander<BR><B>Subject:</B> Re: locked account accessable via pubkey
auth<BR><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Since normally it's impossible to access the
account of a password-disabled account, should default behavior on Solaris
be to assume password-disabled means access-disabled?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It seems to me that the rest of the Solaris
tools assume "no password = no access". Perhaps we should as well, and
provide a separate configuration option to override to the useful but
non-obvious pubkey-only mode.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thoughts?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--Dan</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Jason.Lacoss-Arnold@AGEDWARDS.com
href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com">Lacoss-Arnold, Jason</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=djm@mindrot.org
href="mailto:djm@mindrot.org">'Damien Miller'</A> ; <A
title=fcusack@fcusack.com href="mailto:fcusack@fcusack.com">Frank
Cusack</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
title=openssh-unix-dev@mindrot.org
href="mailto:openssh-unix-dev@mindrot.org">openssh-unix-dev@mindrot.org</A>
; <A title=Alexander.Dost@drkw.com
href="mailto:Alexander.Dost@drkw.com">Dost, Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002
4:59 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account
accessable via pubkey auth</DIV>
<DIV><BR></DIV>
<P><FONT size=2>No, it's at best a really annoying "feature" but it feels
more like a bug. Basically, it makes it a royal pain in the arse to
disable an account when a user leaves since all of the Solaris tools
assume that passwd=*LK* means that the account is disabled. Hence,
if you actually want to disable the account you have to first use Sun's
tool and additionally either change the shell to /bin/false or similar,
put the user in a group that's listed in sshd_config's DenyGroups, go wipe
out user keys and configs, or some other kludge. Kludging
sucks.</FONT></P>
<P><FONT size=2>Thanks,</FONT> <BR><FONT size=2>--Jason Lacoss-Arnold,
Systems Technical Specialist</FONT> <BR><FONT size=2>Technical Services -
Unix Arch.</FONT> <BR><FONT size=2>314-955-8501</FONT> </P><BR>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From:
Damien Miller [<A
href="mailto:djm@mindrot.org">mailto:djm@mindrot.org</A>]</FONT> <BR><FONT
size=2>Sent: Tuesday, January 29, 2002 22:40</FONT> <BR><FONT size=2>To:
Frank Cusack</FONT> <BR><FONT size=2>Cc: openssh-unix-dev@mindrot.org;
Dost, Alexander</FONT> <BR><FONT size=2>Subject: Re: locked account
accessable via pubkey auth</FONT> </P><BR>
<P><FONT size=2>On Tue, 29 Jan 2002, Frank Cusack wrote:</FONT> </P>
<P><FONT size=2>> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin
wrote:</FONT> <BR><FONT size=2>> > On Tue, Jan 29, 2002 at
12:56:55PM +0100, Dost, Alexander wrote:</FONT> <BR><FONT size=2>> >
> maybe this is a silly question ;-) But why is it possible to login on
a</FONT> <BR><FONT size=2>> > > machine with a locked account
(passwd -l ) via pubkey-authentication</FONT> <BR><FONT size=2>> >
> (authorized_keys) ?</FONT> <BR><FONT size=2>> > > I use
OpenSSH3.01p1on Solaris8 with PAM support so I thought this should
not</FONT> <BR><FONT size=2>> > > happen.</FONT> <BR><FONT
size=2>> > </FONT><BR><FONT size=2>> > Check the list archives
and you'll find others with the same problem.</FONT> <BR><FONT size=2>>
> Noone has turned up a solution with Solaris 8/PAM yet.</FONT>
<BR><FONT size=2>> </FONT><BR><FONT size=2>> huh.. This is
definitely a bug; probably in the Solaris PAM libs. I can</FONT>
<BR><FONT size=2>> look into this, unfortunately not within a day or
so.</FONT> </P>
<P><FONT size=2>I don't think it is a bug even. Having accounts with
locked passwords, but</FONT> <BR><FONT size=2>still accessible via pubkey
auth is a very useful thing.</FONT> </P>
<P><FONT size=2>-d</FONT> </P><BR>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT size=2><A
href="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev"
target=_blank>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received or<BR>otherwise
recorded by the A.G. Edwards corporate e-mail system and is<BR>subject to
archival, monitoring or review by, and/or disclosure to,<BR>someone other
than the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></CODE><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received or<BR>otherwise
recorded by the A.G. Edwards corporate e-mail system and is<BR>subject to
archival, monitoring or review by, and/or disclosure to,<BR>someone other than
the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></FONT></CODE></BODY></HTML>