<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35">
<TITLE>RE: locked account accessable via pubkey auth</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>No, it's at best a really annoying "feature" but it feels more like a bug. Basically, it makes it a royal pain in the arse to disable an account when a user leaves since all of the Solaris tools assume that passwd=*LK* means that the account is disabled. Hence, if you actually want to disable the account you have to first use Sun's tool and additionally either change the shell to /bin/false or similar, put the user in a group that's listed in sshd_config's DenyGroups, go wipe out user keys and configs, or some other kludge. Kludging sucks.</FONT></P>
<P><FONT SIZE=2>Thanks,</FONT>
<BR><FONT SIZE=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT>
<BR><FONT SIZE=2>Technical Services - Unix Arch.</FONT>
<BR><FONT SIZE=2>314-955-8501</FONT>
</P>
<BR>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Damien Miller [<A HREF="mailto:djm@mindrot.org">mailto:djm@mindrot.org</A>]</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, January 29, 2002 22:40</FONT>
<BR><FONT SIZE=2>To: Frank Cusack</FONT>
<BR><FONT SIZE=2>Cc: openssh-unix-dev@mindrot.org; Dost, Alexander</FONT>
<BR><FONT SIZE=2>Subject: Re: locked account accessable via pubkey auth</FONT>
</P>
<BR>
<P><FONT SIZE=2>On Tue, 29 Jan 2002, Frank Cusack wrote:</FONT>
</P>
<P><FONT SIZE=2>> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:</FONT>
<BR><FONT SIZE=2>> > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:</FONT>
<BR><FONT SIZE=2>> > > maybe this is a silly question ;-) But why is it possible to login on a</FONT>
<BR><FONT SIZE=2>> > > machine with a locked account (passwd -l ) via pubkey-authentication</FONT>
<BR><FONT SIZE=2>> > > (authorized_keys) ?</FONT>
<BR><FONT SIZE=2>> > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not</FONT>
<BR><FONT SIZE=2>> > > happen.</FONT>
<BR><FONT SIZE=2>> > </FONT>
<BR><FONT SIZE=2>> > Check the list archives and you'll find others with the same problem.</FONT>
<BR><FONT SIZE=2>> > Noone has turned up a solution with Solaris 8/PAM yet.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> huh.. This is definitely a bug; probably in the Solaris PAM libs. I can</FONT>
<BR><FONT SIZE=2>> look into this, unfortunately not within a day or so.</FONT>
</P>
<P><FONT SIZE=2>I don't think it is a bug even. Having accounts with locked passwords, but</FONT>
<BR><FONT SIZE=2>still accessible via pubkey auth is a very useful thing.</FONT>
</P>
<P><FONT SIZE=2>-d</FONT>
</P>
<BR>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT SIZE=2><A HREF="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev" TARGET="_blank">http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P>
<CODE><FONT SIZE=3><BR>
<BR>
***************************************************************************************<BR>
WARNING: All e-mail sent to and from this address will be received or<BR>
otherwise recorded by the A.G. Edwards corporate e-mail system and is<BR>
subject to archival, monitoring or review by, and/or disclosure to,<BR>
someone other than the recipient.<BR>
***************************************************************************************<BR>
</FONT></CODE></BODY>
</HTML>