<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: locked account accessable via pubkey auth</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2712.300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Since normally it's impossible to access the
account of a password-disabled account, should default behavior on Solaris be to
assume password-disabled means access-disabled?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It seems to me that the rest of the Solaris tools
assume "no password = no access". Perhaps we should as well, and provide a
separate configuration option to override to the useful but non-obvious
pubkey-only mode.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thoughts?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--Dan</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Jason.Lacoss-Arnold@AGEDWARDS.com
href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com">Lacoss-Arnold, Jason</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=djm@mindrot.org
href="mailto:djm@mindrot.org">'Damien Miller'</A> ; <A
title=fcusack@fcusack.com href="mailto:fcusack@fcusack.com">Frank Cusack</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=openssh-unix-dev@mindrot.org
href="mailto:openssh-unix-dev@mindrot.org">openssh-unix-dev@mindrot.org</A> ;
<A title=Alexander.Dost@drkw.com href="mailto:Alexander.Dost@drkw.com">Dost,
Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002 4:59
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account accessable
via pubkey auth</DIV>
<DIV><BR></DIV>
<P><FONT size=2>No, it's at best a really annoying "feature" but it feels more
like a bug. Basically, it makes it a royal pain in the arse to disable
an account when a user leaves since all of the Solaris tools assume that
passwd=*LK* means that the account is disabled. Hence, if you actually
want to disable the account you have to first use Sun's tool and additionally
either change the shell to /bin/false or similar, put the user in a group
that's listed in sshd_config's DenyGroups, go wipe out user keys and configs,
or some other kludge. Kludging sucks.</FONT></P>
<P><FONT size=2>Thanks,</FONT> <BR><FONT size=2>--Jason Lacoss-Arnold, Systems
Technical Specialist</FONT> <BR><FONT size=2>Technical Services - Unix
Arch.</FONT> <BR><FONT size=2>314-955-8501</FONT> </P><BR>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From:
Damien Miller [<A
href="mailto:djm@mindrot.org">mailto:djm@mindrot.org</A>]</FONT> <BR><FONT
size=2>Sent: Tuesday, January 29, 2002 22:40</FONT> <BR><FONT size=2>To: Frank
Cusack</FONT> <BR><FONT size=2>Cc: openssh-unix-dev@mindrot.org; Dost,
Alexander</FONT> <BR><FONT size=2>Subject: Re: locked account accessable via
pubkey auth</FONT> </P><BR>
<P><FONT size=2>On Tue, 29 Jan 2002, Frank Cusack wrote:</FONT> </P>
<P><FONT size=2>> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin
wrote:</FONT> <BR><FONT size=2>> > On Tue, Jan 29, 2002 at 12:56:55PM
+0100, Dost, Alexander wrote:</FONT> <BR><FONT size=2>> > > maybe
this is a silly question ;-) But why is it possible to login on a</FONT>
<BR><FONT size=2>> > > machine with a locked account (passwd -l ) via
pubkey-authentication</FONT> <BR><FONT size=2>> > > (authorized_keys)
?</FONT> <BR><FONT size=2>> > > I use OpenSSH3.01p1on Solaris8 with
PAM support so I thought this should not</FONT> <BR><FONT size=2>> >
> happen.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>>
> Check the list archives and you'll find others with the same
problem.</FONT> <BR><FONT size=2>> > Noone has turned up a solution with
Solaris 8/PAM yet.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>>
huh.. This is definitely a bug; probably in the Solaris PAM libs.
I can</FONT> <BR><FONT size=2>> look into this, unfortunately not within a
day or so.</FONT> </P>
<P><FONT size=2>I don't think it is a bug even. Having accounts with locked
passwords, but</FONT> <BR><FONT size=2>still accessible via pubkey auth is a
very useful thing.</FONT> </P>
<P><FONT size=2>-d</FONT> </P><BR>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>openssh-unix-dev@mindrot.org mailing list</FONT> <BR><FONT
size=2><A href="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev"
target=_blank>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received or<BR>otherwise
recorded by the A.G. Edwards corporate e-mail system and is<BR>subject to
archival, monitoring or review by, and/or disclosure to,<BR>someone other than
the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></FONT></CODE></BODY></HTML>