<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: locked account accessable via pubkey auth</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2712.300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hmmm, consistency with r* series vs. consistency
with what is obviously the platform designer's intent. Probably the
only time I've ever seen these two in direct conflict.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>I'm leaning towards agreeing with you on
this...it's a really special case that someone would just want pubkey. Is
there anyone who thinks this isn't an obscure but genuine platform-specific
security issue, solved by adding a check before pubkey to see if the password is
locked on platforms with locking implemented?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--Dan</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Jason.Lacoss-Arnold@AGEDWARDS.com
href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com">Lacoss-Arnold, Jason</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=dan@doxpara.com
href="mailto:dan@doxpara.com">'Dan Kaminsky'</A> ; <A title=djm@mindrot.org
href="mailto:djm@mindrot.org">'Damien Miller'</A> ; <A
title=fcusack@fcusack.com href="mailto:fcusack@fcusack.com">Frank Cusack</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=openssh-unix-dev@mindrot.org
href="mailto:openssh-unix-dev@mindrot.org">openssh-unix-dev@mindrot.org</A> ;
<A title=Alexander.Dost@drkw.com href="mailto:Alexander.Dost@drkw.com">Dost,
Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002 5:46
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account accessable
via pubkey auth</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=412453713-30012002>No. ftp doesn't allow it. The console
doesn't allow it. The r* commands would allow it, but we don't allow
them for obvious reasons. But we feel that the tool we're using to rid
ourselves of security holes shouldn't replicate security
holes.</SPAN></FONT></DIV>
<DIV> </DIV>
<P><FONT face=Tahoma size=2>Thanks,</FONT> <BR><I><FONT face=Tahoma
size=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT></I>
<BR><I><FONT face=Tahoma size=2>Technical Services - Unix Arch.</FONT></I>
<BR><I><FONT face=Tahoma size=2>314-955-8501</FONT></I> </P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Dan Kaminsky
[mailto:dan@doxpara.com]<BR><B>Sent:</B> Wednesday, January 30, 2002
7:43<BR><B>To:</B> Lacoss-Arnold, Jason; 'Damien Miller'; Frank
Cusack<BR><B>Cc:</B> <A
href="mailto:openssh-unix-dev@mindrot.org">openssh-unix-dev@mindrot.org</A>;
Dost, Alexander<BR><B>Subject:</B> Re: locked account accessable via pubkey
auth<BR><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Without SSH, is there *any* other way to access
a password-locked account than to su in from root?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>If not, I don't see it as being valid to allow
a pubkey "backdoor" by default. It comes down to whether the platforms
are equating "no password = no access". Unless something else has
access with no password, we shouldn't be allowing such.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Now, do we generally directly manage
passwd/shadow files on Solaris, or do we usually go through PAM? Can
PAM report an LK password state, so we could check for it before allowing
pubkey?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--dan</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Jason.Lacoss-Arnold@AGEDWARDS.com
href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com">Lacoss-Arnold, Jason</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=dan@doxpara.com
href="mailto:dan@doxpara.com">'Dan Kaminsky'</A> ; <A
title=djm@mindrot.org href="mailto:djm@mindrot.org">'Damien Miller'</A> ;
<A title=fcusack@fcusack.com href="mailto:fcusack@fcusack.com">Frank
Cusack</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
title=openssh-unix-dev@mindrot.org
href="mailto:openssh-unix-dev@mindrot.org">openssh-unix-dev@mindrot.org</A>
; <A title=Alexander.Dost@drkw.com
href="mailto:Alexander.Dost@drkw.com">Dost, Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002
5:26 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account
accessable via pubkey auth</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=903432013-30012002>As an interesting side note, HP-UX used to also
have this problem, but I just tested on an 11.0 trusted HP-UX box and
disabling my account in SAM did actually disable it to ssh.
Unfortunately, we don't have any untrusted systems, so I can't tell if
it's a ramification of the HPs whole tcb shananigans (their version of
shadow files) or if all of HP is similarly fixed.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=903432013-30012002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=903432013-30012002>Also, I'm pretty sure that this behavior in
Solaris way predated version 8.</SPAN></FONT></DIV>
<DIV> </DIV>
<P><FONT face=Tahoma size=2>Thanks,</FONT> <BR><I><FONT face=Tahoma
size=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT></I>
<BR><I><FONT face=Tahoma size=2>Technical Services - Unix Arch.</FONT></I>
<BR><I><FONT face=Tahoma size=2>314-955-8501</FONT></I> </P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Dan Kaminsky
[mailto:dan@doxpara.com]<BR><B>Sent:</B> Wednesday, January 30, 2002
7:17<BR><B>To:</B> Lacoss-Arnold, Jason; 'Damien Miller'; Frank
Cusack<BR><B>Cc:</B> openssh-unix-dev@mindrot.org; Dost,
Alexander<BR><B>Subject:</B> Re: locked account accessable via pubkey
auth<BR><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Since normally it's impossible to access
the account of a password-disabled account, should default behavior on
Solaris be to assume password-disabled means
access-disabled?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It seems to me that the rest of the Solaris
tools assume "no password = no access". Perhaps we should as well,
and provide a separate configuration option to override to the useful
but non-obvious pubkey-only mode.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thoughts?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--Dan</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Jason.Lacoss-Arnold@AGEDWARDS.com
href="mailto:Jason.Lacoss-Arnold@AGEDWARDS.com">Lacoss-Arnold,
Jason</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=djm@mindrot.org
href="mailto:djm@mindrot.org">'Damien Miller'</A> ; <A
title=fcusack@fcusack.com href="mailto:fcusack@fcusack.com">Frank
Cusack</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
title=openssh-unix-dev@mindrot.org
href="mailto:openssh-unix-dev@mindrot.org">openssh-unix-dev@mindrot.org</A>
; <A title=Alexander.Dost@drkw.com
href="mailto:Alexander.Dost@drkw.com">Dost, Alexander</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, January 30, 2002
4:59 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: locked account
accessable via pubkey auth</DIV>
<DIV><BR></DIV>
<P><FONT size=2>No, it's at best a really annoying "feature" but it
feels more like a bug. Basically, it makes it a royal pain in
the arse to disable an account when a user leaves since all of the
Solaris tools assume that passwd=*LK* means that the account is
disabled. Hence, if you actually want to disable the account you
have to first use Sun's tool and additionally either change the shell
to /bin/false or similar, put the user in a group that's listed in
sshd_config's DenyGroups, go wipe out user keys and configs, or some
other kludge. Kludging sucks.</FONT></P>
<P><FONT size=2>Thanks,</FONT> <BR><FONT size=2>--Jason Lacoss-Arnold,
Systems Technical Specialist</FONT> <BR><FONT size=2>Technical
Services - Unix Arch.</FONT> <BR><FONT size=2>314-955-8501</FONT>
</P><BR>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT
size=2>From: Damien Miller [<A
href="mailto:djm@mindrot.org">mailto:djm@mindrot.org</A>]</FONT>
<BR><FONT size=2>Sent: Tuesday, January 29, 2002 22:40</FONT>
<BR><FONT size=2>To: Frank Cusack</FONT> <BR><FONT size=2>Cc:
openssh-unix-dev@mindrot.org; Dost, Alexander</FONT> <BR><FONT
size=2>Subject: Re: locked account accessable via pubkey auth</FONT>
</P><BR>
<P><FONT size=2>On Tue, 29 Jan 2002, Frank Cusack wrote:</FONT> </P>
<P><FONT size=2>> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert
Chin wrote:</FONT> <BR><FONT size=2>> > On Tue, Jan 29, 2002 at
12:56:55PM +0100, Dost, Alexander wrote:</FONT> <BR><FONT size=2>>
> > maybe this is a silly question ;-) But why is it possible to
login on a</FONT> <BR><FONT size=2>> > > machine with a
locked account (passwd -l ) via pubkey-authentication</FONT> <BR><FONT
size=2>> > > (authorized_keys) ?</FONT> <BR><FONT size=2>>
> > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought
this should not</FONT> <BR><FONT size=2>> > > happen.</FONT>
<BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Check the
list archives and you'll find others with the same problem.</FONT>
<BR><FONT size=2>> > Noone has turned up a solution with Solaris
8/PAM yet.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>>
huh.. This is definitely a bug; probably in the Solaris PAM
libs. I can</FONT> <BR><FONT size=2>> look into this,
unfortunately not within a day or so.</FONT> </P>
<P><FONT size=2>I don't think it is a bug even. Having accounts with
locked passwords, but</FONT> <BR><FONT size=2>still accessible via
pubkey auth is a very useful thing.</FONT> </P>
<P><FONT size=2>-d</FONT> </P><BR>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT size=2><A
href="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev"
target=_blank>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received
or<BR>otherwise recorded by the A.G. Edwards corporate e-mail system
and is<BR>subject to archival, monitoring or review by, and/or
disclosure to,<BR>someone other than the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></CODE><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received or<BR>otherwise
recorded by the A.G. Edwards corporate e-mail system and is<BR>subject to
archival, monitoring or review by, and/or disclosure to,<BR>someone other
than the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></CODE><CODE><FONT
size=3><BR><BR>***************************************************************************************<BR>WARNING:
All e-mail sent to and from this address will be received or<BR>otherwise
recorded by the A.G. Edwards corporate e-mail system and is<BR>subject to
archival, monitoring or review by, and/or disclosure to,<BR>someone other than
the
recipient.<BR>***************************************************************************************<BR></BLOCKQUOTE></FONT></CODE></BODY></HTML>