<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>RE: locked account accessable via pubkey auth</TITLE>
<META content="MSHTML 5.00.2919.6307" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=412453713-30012002>No. ftp doesn't allow it. The console
doesn't allow it. The r* commands would allow it, but we don't allow them
for obvious reasons. But we feel that the tool we're using to rid
ourselves of security holes shouldn't replicate security
holes.</SPAN></FONT></DIV>
<DIV> </DIV>
<P><FONT face=Tahoma size=2>Thanks,</FONT> <BR><I><FONT face=Tahoma
size=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT></I>
<BR><I><FONT face=Tahoma size=2>Technical Services - Unix Arch.</FONT></I>
<BR><I><FONT face=Tahoma size=2>314-955-8501</FONT></I> </P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Dan Kaminsky
[mailto:dan@doxpara.com]<BR><B>Sent:</B> Wednesday, January 30, 2002
7:43<BR><B>To:</B> Lacoss-Arnold, Jason; 'Damien Miller'; Frank
Cusack<BR><B>Cc:</B> openssh-unix-dev@mindrot.org; Dost,
Alexander<BR><B>Subject:</B> Re: locked account accessable via pubkey
auth<BR><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Without SSH, is there *any* other way to access a
password-locked account than to su in from root?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>If not, I don't see it as being valid to allow a
pubkey "backdoor" by default. It comes down to whether the platforms are
equating "no password = no access". Unless something else has access
with no password, we shouldn't be allowing such.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Now, do we generally directly manage
passwd/shadow files on Solaris, or do we usually go through PAM? Can PAM
report an LK password state, so we could check for it before allowing
pubkey?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--dan</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com"
title=Jason.Lacoss-Arnold@AGEDWARDS.com>Lacoss-Arnold, Jason</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A href="mailto:dan@doxpara.com"
title=dan@doxpara.com>'Dan Kaminsky'</A> ; <A href="mailto:djm@mindrot.org"
title=djm@mindrot.org>'Damien Miller'</A> ; <A
href="mailto:fcusack@fcusack.com" title=fcusack@fcusack.com>Frank Cusack</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
href="mailto:openssh-unix-dev@mindrot.org"
title=openssh-unix-dev@mindrot.org>openssh-unix-dev@mindrot.org</A> ; <A
href="mailto:Alexander.Dost@drkw.com" title=Alexander.Dost@drkw.com>Dost,
Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002 5:26
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account accessable
via pubkey auth</DIV>
<DIV><BR></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=903432013-30012002>As
an interesting side note, HP-UX used to also have this problem, but I just
tested on an 11.0 trusted HP-UX box and disabling my account in SAM did
actually disable it to ssh. Unfortunately, we don't have any untrusted
systems, so I can't tell if it's a ramification of the HPs whole tcb
shananigans (their version of shadow files) or if all of HP is similarly
fixed.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=903432013-30012002></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=903432013-30012002>Also, I'm pretty sure that this behavior in Solaris
way predated version 8.</SPAN></FONT></DIV>
<DIV> </DIV>
<P><FONT face=Tahoma size=2>Thanks,</FONT> <BR><I><FONT face=Tahoma
size=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT></I>
<BR><I><FONT face=Tahoma size=2>Technical Services - Unix Arch.</FONT></I>
<BR><I><FONT face=Tahoma size=2>314-955-8501</FONT></I> </P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Dan Kaminsky
[mailto:dan@doxpara.com]<BR><B>Sent:</B> Wednesday, January 30, 2002
7:17<BR><B>To:</B> Lacoss-Arnold, Jason; 'Damien Miller'; Frank
Cusack<BR><B>Cc:</B> openssh-unix-dev@mindrot.org; Dost,
Alexander<BR><B>Subject:</B> Re: locked account accessable via pubkey
auth<BR><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Since normally it's impossible to access the
account of a password-disabled account, should default behavior on Solaris
be to assume password-disabled means access-disabled?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It seems to me that the rest of the Solaris
tools assume "no password = no access". Perhaps we should as well,
and provide a separate configuration option to override to the useful but
non-obvious pubkey-only mode.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thoughts?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--Dan</FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com"
title=Jason.Lacoss-Arnold@AGEDWARDS.com>Lacoss-Arnold, Jason</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
href="mailto:djm@mindrot.org" title=djm@mindrot.org>'Damien Miller'</A>
; <A href="mailto:fcusack@fcusack.com" title=fcusack@fcusack.com>Frank
Cusack</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
href="mailto:openssh-unix-dev@mindrot.org"
title=openssh-unix-dev@mindrot.org>openssh-unix-dev@mindrot.org</A> ; <A
href="mailto:Alexander.Dost@drkw.com"
title=Alexander.Dost@drkw.com>Dost, Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002
4:59 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account
accessable via pubkey auth</DIV>
<DIV><BR></DIV>
<P><FONT size=2>No, it's at best a really annoying "feature" but it
feels more like a bug. Basically, it makes it a royal pain in the
arse to disable an account when a user leaves since all of the Solaris
tools assume that passwd=*LK* means that the account is disabled.
Hence, if you actually want to disable the account you have to first use
Sun's tool and additionally either change the shell to /bin/false or
similar, put the user in a group that's listed in sshd_config's
DenyGroups, go wipe out user keys and configs, or some other
kludge. Kludging sucks.</FONT></P>
<P><FONT size=2>Thanks,</FONT> <BR><FONT size=2>--Jason Lacoss-Arnold,
Systems Technical Specialist</FONT> <BR><FONT size=2>Technical Services
- Unix Arch.</FONT> <BR><FONT size=2>314-955-8501</FONT> </P><BR>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From:
Damien Miller [<A
href="mailto:djm@mindrot.org">mailto:djm@mindrot.org</A>]</FONT>
<BR><FONT size=2>Sent: Tuesday, January 29, 2002 22:40</FONT> <BR><FONT
size=2>To: Frank Cusack</FONT> <BR><FONT size=2>Cc:
openssh-unix-dev@mindrot.org; Dost, Alexander</FONT> <BR><FONT
size=2>Subject: Re: locked account accessable via pubkey auth</FONT>
</P><BR>
<P><FONT size=2>On Tue, 29 Jan 2002, Frank Cusack wrote:</FONT> </P>
<P><FONT size=2>> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert
Chin wrote:</FONT> <BR><FONT size=2>> > On Tue, Jan 29, 2002 at
12:56:55PM +0100, Dost, Alexander wrote:</FONT> <BR><FONT size=2>>
> > maybe this is a silly question ;-) But why is it possible to
login on a</FONT> <BR><FONT size=2>> > > machine with a locked
account (passwd -l ) via pubkey-authentication</FONT> <BR><FONT
size=2>> > > (authorized_keys) ?</FONT> <BR><FONT size=2>>
> > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought
this should not</FONT> <BR><FONT size=2>> > > happen.</FONT>
<BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Check the
list archives and you'll find others with the same problem.</FONT>
<BR><FONT size=2>> > Noone has turned up a solution with Solaris
8/PAM yet.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>>
huh.. This is definitely a bug; probably in the Solaris PAM
libs. I can</FONT> <BR><FONT size=2>> look into this,
unfortunately not within a day or so.</FONT> </P>
<P><FONT size=2>I don't think it is a bug even. Having accounts with
locked passwords, but</FONT> <BR><FONT size=2>still accessible via
pubkey auth is a very useful thing.</FONT> </P>
<P><FONT size=2>-d</FONT> </P><BR>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT size=2><A
href="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev"
target=_blank>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received
or<BR>otherwise recorded by the A.G. Edwards corporate e-mail system and
is<BR>subject to archival, monitoring or review by, and/or disclosure
to,<BR>someone other than the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></CODE><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received or<BR>otherwise
recorded by the A.G. Edwards corporate e-mail system and is<BR>subject to
archival, monitoring or review by, and/or disclosure to,<BR>someone other
than the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></CODE><CODE><FONT SIZE=3><BR>
<BR>
***************************************************************************************<BR>
WARNING: All e-mail sent to and from this address will be received or<BR>
otherwise recorded by the A.G. Edwards corporate e-mail system and is<BR>
subject to archival, monitoring or review by, and/or disclosure to,<BR>
someone other than the recipient.<BR>
***************************************************************************************<BR>
</FONT></CODE></BODY></HTML>