<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>RE: locked account accessable via pubkey auth</TITLE>
<META content="MSHTML 5.00.2919.6307" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=903432013-30012002>As an
interesting side note, HP-UX used to also have this problem, but I just tested
on an 11.0 trusted HP-UX box and disabling my account in SAM did actually
disable it to ssh. Unfortunately, we don't have any untrusted systems, so
I can't tell if it's a ramification of the HPs whole tcb shananigans (their
version of shadow files) or if all of HP is similarly fixed.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=903432013-30012002></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=903432013-30012002>Also,
I'm pretty sure that this behavior in Solaris way predated version
8.</SPAN></FONT></DIV>
<DIV> </DIV>
<P><FONT face=Tahoma size=2>Thanks,</FONT> <BR><I><FONT face=Tahoma
size=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT></I>
<BR><I><FONT face=Tahoma size=2>Technical Services - Unix Arch.</FONT></I>
<BR><I><FONT face=Tahoma size=2>314-955-8501</FONT></I> </P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Dan Kaminsky
[mailto:dan@doxpara.com]<BR><B>Sent:</B> Wednesday, January 30, 2002
7:17<BR><B>To:</B> Lacoss-Arnold, Jason; 'Damien Miller'; Frank
Cusack<BR><B>Cc:</B> openssh-unix-dev@mindrot.org; Dost,
Alexander<BR><B>Subject:</B> Re: locked account accessable via pubkey
auth<BR><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Since normally it's impossible to access the
account of a password-disabled account, should default behavior on Solaris be
to assume password-disabled means access-disabled?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It seems to me that the rest of the Solaris tools
assume "no password = no access". Perhaps we should as well, and provide
a separate configuration option to override to the useful but non-obvious
pubkey-only mode.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thoughts?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--Dan</FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com"
title=Jason.Lacoss-Arnold@AGEDWARDS.com>Lacoss-Arnold, Jason</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A href="mailto:djm@mindrot.org"
title=djm@mindrot.org>'Damien Miller'</A> ; <A
href="mailto:fcusack@fcusack.com" title=fcusack@fcusack.com>Frank Cusack</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
href="mailto:openssh-unix-dev@mindrot.org"
title=openssh-unix-dev@mindrot.org>openssh-unix-dev@mindrot.org</A> ; <A
href="mailto:Alexander.Dost@drkw.com" title=Alexander.Dost@drkw.com>Dost,
Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002 4:59
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account accessable
via pubkey auth</DIV>
<DIV><BR></DIV>
<P><FONT size=2>No, it's at best a really annoying "feature" but it feels
more like a bug. Basically, it makes it a royal pain in the arse to
disable an account when a user leaves since all of the Solaris tools assume
that passwd=*LK* means that the account is disabled. Hence, if you
actually want to disable the account you have to first use Sun's tool and
additionally either change the shell to /bin/false or similar, put the user
in a group that's listed in sshd_config's DenyGroups, go wipe out user keys
and configs, or some other kludge. Kludging sucks.</FONT></P>
<P><FONT size=2>Thanks,</FONT> <BR><FONT size=2>--Jason Lacoss-Arnold,
Systems Technical Specialist</FONT> <BR><FONT size=2>Technical Services -
Unix Arch.</FONT> <BR><FONT size=2>314-955-8501</FONT> </P><BR>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From:
Damien Miller [<A
href="mailto:djm@mindrot.org">mailto:djm@mindrot.org</A>]</FONT> <BR><FONT
size=2>Sent: Tuesday, January 29, 2002 22:40</FONT> <BR><FONT size=2>To:
Frank Cusack</FONT> <BR><FONT size=2>Cc: openssh-unix-dev@mindrot.org; Dost,
Alexander</FONT> <BR><FONT size=2>Subject: Re: locked account accessable via
pubkey auth</FONT> </P><BR>
<P><FONT size=2>On Tue, 29 Jan 2002, Frank Cusack wrote:</FONT> </P>
<P><FONT size=2>> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin
wrote:</FONT> <BR><FONT size=2>> > On Tue, Jan 29, 2002 at 12:56:55PM
+0100, Dost, Alexander wrote:</FONT> <BR><FONT size=2>> > > maybe
this is a silly question ;-) But why is it possible to login on a</FONT>
<BR><FONT size=2>> > > machine with a locked account (passwd -l )
via pubkey-authentication</FONT> <BR><FONT size=2>> > >
(authorized_keys) ?</FONT> <BR><FONT size=2>> > > I use
OpenSSH3.01p1on Solaris8 with PAM support so I thought this should
not</FONT> <BR><FONT size=2>> > > happen.</FONT> <BR><FONT
size=2>> > </FONT><BR><FONT size=2>> > Check the list archives
and you'll find others with the same problem.</FONT> <BR><FONT size=2>>
> Noone has turned up a solution with Solaris 8/PAM yet.</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>> huh.. This is definitely a
bug; probably in the Solaris PAM libs. I can</FONT> <BR><FONT
size=2>> look into this, unfortunately not within a day or so.</FONT>
</P>
<P><FONT size=2>I don't think it is a bug even. Having accounts with locked
passwords, but</FONT> <BR><FONT size=2>still accessible via pubkey auth is a
very useful thing.</FONT> </P>
<P><FONT size=2>-d</FONT> </P><BR>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>openssh-unix-dev@mindrot.org mailing list</FONT> <BR><FONT
size=2><A href="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev"
target=_blank>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received or<BR>otherwise
recorded by the A.G. Edwards corporate e-mail system and is<BR>subject to
archival, monitoring or review by, and/or disclosure to,<BR>someone other
than the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></CODE><CODE><FONT SIZE=3><BR>
<BR>
***************************************************************************************<BR>
WARNING: All e-mail sent to and from this address will be received or<BR>
otherwise recorded by the A.G. Edwards corporate e-mail system and is<BR>
subject to archival, monitoring or review by, and/or disclosure to,<BR>
someone other than the recipient.<BR>
***************************************************************************************<BR>
</FONT></CODE></BODY></HTML>