<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35">
<TITLE>RE: locked account accessable via pubkey auth</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>HP-UX 11.00</FONT>
<BR><FONT SIZE=2>from: man passwd</FONT>
<BR><FONT SIZE=2>-l Lock user account.</FONT>
</P>
<P><FONT SIZE=2>from: man getspent</FONT>
<BR><FONT SIZE=2>getspent(3C) getspent(3C)</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> NAME</FONT>
<BR><FONT SIZE=2> getspent, getspnam, setspent, endspent - access secure password</FONT>
<BR><FONT SIZE=2> entries, for trusted systems only.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> SYNOPSIS</FONT>
<BR><FONT SIZE=2> #include <shadow.h></FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> struct spwd * getspent (void);</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> struct spwd * getspnam (const char *name);</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> void setspent (void);</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> void endspent (void);</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> DESCRIPTION</FONT>
<BR><FONT SIZE=2> The routines getspent() and getspnam() return a pointer to the next</FONT>
<BR><FONT SIZE=2> secured password entry. Each entry is a spwd structure, declared in</FONT>
<BR><FONT SIZE=2> the shadow.h header file with the following members:</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> char *sp_namp; /* the user's login name */</FONT>
<BR><FONT SIZE=2> char *sp_pwdp; /* the encrypted password for the user */</FONT>
<BR><FONT SIZE=2> long sp_lstchg; /* # of days from 1/1/70 when passwd was last modified */</FONT>
<BR><FONT SIZE=2> long sp_min; /* min # of days allowed between password changes */</FONT>
<BR><FONT SIZE=2> long sp_max; /* max # of days allowed between password changes */</FONT>
<BR><FONT SIZE=2> long sp_warn; /* # of days before password expires and warning issued*/</FONT>
<BR><FONT SIZE=2> long sp_inact; /* # of days between account inactive and disabled */</FONT>
<BR><FONT SIZE=2> long sp_expire; /* # of days from 1/1/70 when account is locked */</FONT>
<BR><FONT SIZE=2> unsigned long sp_flag;/* currently unused */</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> The getspent() routine returns a pointer to the first spwd structure</FONT>
<BR><FONT SIZE=2> when first called. Subsequent calls return pointers to successive spwd</FONT>
<BR><FONT SIZE=2> structures. Repeated calls to getspent() can be used to search all</FONT>
<BR><FONT SIZE=2> entries in the protected password database. The getspnam () routine</FONT>
<BR><FONT SIZE=2> searches password entries from beginning to end until a login name</FONT>
<BR><FONT SIZE=2> matching name is found, and returns a pointer to that entry.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> If the fields corresponding to sp_min, sp_max, sp_lstchg, sp_warn,</FONT>
<BR><FONT SIZE=2> sp_inact, sp_expire, or sp_flag are not specified in the entry, they</FONT>
<BR><FONT SIZE=2> default to -1. If an end-of-file or an error is encountered in reading</FONT>
<BR><FONT SIZE=2> or a format error is detected, these functions return a null pointer</FONT>
<BR><FONT SIZE=2> and; for an error, errno is set to EINVAL.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> The setspent() routine is used to reset access to the secured password</FONT>
<BR><FONT SIZE=2> entries. After setspent() is called, the subsequent call to getspent()</FONT>
<BR><FONT SIZE=2> returns the first secured password entry. This mechanism is used to</FONT>
<BR><FONT SIZE=2> allow repeated searches of the secured password entries. The</FONT>
<BR><FONT SIZE=2> endspent() routine is used to indicate that processing of secured</FONT>
<BR><FONT SIZE=2> password entries is complete.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> Hewlett-Packard Company - 1 - HP-UX Release 11.00: October 1997</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> getspent(3C) getspent(3C)</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> getspent() is only supported on trusted systems.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> The secured password facility is implemented without the use of the</FONT>
<BR><FONT SIZE=2> /etc/shadow file. getspent(), getspnam(), setspent(), and endspent()</FONT>
<BR><FONT SIZE=2> read from the trusted system's protected password database</FONT>
<BR><FONT SIZE=2> (/tcb/files/auth/*/*) and not /etc/shadow. The file /etc/shadow is</FONT>
<BR><FONT SIZE=2> not used in any way by the HP-UX login facility.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> These routines return a null pointer and sets ERRNO to ENOENT if the</FONT>
<BR><FONT SIZE=2> system has not been converted to trusted system. In all other cases,</FONT>
<BR><FONT SIZE=2> the return value is set similarly to getprpwent(). See getprpwent(3)</FONT>
<BR><FONT SIZE=2> for more information.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> Programs using these routines must be compiled with -lsec.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> FILES</FONT>
<BR><FONT SIZE=2> /etc/passwd System Password file.</FONT>
<BR><FONT SIZE=2> /tcb/files/auth/*/* Protected password database, for trusted</FONT>
<BR><FONT SIZE=2> systems.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> SEE ALSO</FONT>
<BR><FONT SIZE=2> getpwent(3C), getprpwent(3), passwd(4).</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> DIAGNOSTICS</FONT>
<BR><FONT SIZE=2> getspent(), getspnam(), and fgetspent() return a null pointer on EOF</FONT>
<BR><FONT SIZE=2> or error.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> STANDARDS CONFORMANCE</FONT>
<BR><FONT SIZE=2> getspent : SVID3</FONT>
</P>
<P><FONT SIZE=2>Thanks,</FONT>
<BR><FONT SIZE=2>--Jason Lacoss-Arnold, Systems Technical Specialist</FONT>
<BR><FONT SIZE=2>Technical Services - Unix Arch.</FONT>
<BR><FONT SIZE=2>314-955-8501</FONT>
</P>
<BR>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Frank Cusack [<A HREF="mailto:fcusack@fcusack.com">mailto:fcusack@fcusack.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Wednesday, January 30, 2002 18:01</FONT>
<BR><FONT SIZE=2>To: Damien Miller</FONT>
<BR><FONT SIZE=2>Cc: openssh-unix-dev@mindrot.org; Dost, Alexander</FONT>
<BR><FONT SIZE=2>Subject: Re: locked account accessable via pubkey auth</FONT>
</P>
<BR>
<P><FONT SIZE=2>On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller wrote:</FONT>
<BR><FONT SIZE=2>> On Tue, 29 Jan 2002, Frank Cusack wrote:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:</FONT>
<BR><FONT SIZE=2>> > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:</FONT>
<BR><FONT SIZE=2>> > > > maybe this is a silly question ;-) But why is it possible to login on a</FONT>
<BR><FONT SIZE=2>> > > > machine with a locked account (passwd -l ) via pubkey-authentication</FONT>
<BR><FONT SIZE=2>> > > > (authorized_keys) ?</FONT>
<BR><FONT SIZE=2>> > </FONT>
<BR><FONT SIZE=2>> > huh.. This is definitely a bug; probably in the Solaris PAM libs. I can</FONT>
<BR><FONT SIZE=2>> > look into this, unfortunately not within a day or so.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> I don't think it is a bug even. Having accounts with locked passwords, but</FONT>
<BR><FONT SIZE=2>> still accessible via pubkey auth is a very useful thing.</FONT>
</P>
<P><FONT SIZE=2>I agree, that is useful, but whether or not it's a bug depends on the meaning</FONT>
<BR><FONT SIZE=2>of 'passwd -l'. SUSv2 does not define the passwd command, so I guess this</FONT>
<BR><FONT SIZE=2>is implementation-dependent.</FONT>
</P>
<P><FONT SIZE=2>On Solaris 8, passwd(8) says -l "Locks password entry for _name_". It does</FONT>
<BR><FONT SIZE=2>not say that it locks the *account*. So this would seem to be consistent</FONT>
<BR><FONT SIZE=2>with pubkey auth still being allowed. Even so, I would tend to think it</FONT>
<BR><FONT SIZE=2>should lock the "account". I don't know if this list is a good place for</FONT>
<BR><FONT SIZE=2>it, but personally I would be interested in hearing arguments for either.</FONT>
</P>
<P><FONT SIZE=2>Can someone report on what the HP-UX man page says? I'd also be interested</FONT>
<BR><FONT SIZE=2>to see the man page for HP-UX getspent(). (Another email in this thread</FONT>
<BR><FONT SIZE=2>says HP-UX prevents pubkey auth after 'passwd -l'.)</FONT>
</P>
<P><FONT SIZE=2>/fc</FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT SIZE=2><A HREF="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev" TARGET="_blank">http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P>
<CODE><FONT SIZE=3><BR>
<BR>
***************************************************************************************<BR>
WARNING: All e-mail sent to and from this address will be received or<BR>
otherwise recorded by the A.G. Edwards corporate e-mail system and is<BR>
subject to archival, monitoring or review by, and/or disclosure to,<BR>
someone other than the recipient.<BR>
***************************************************************************************<BR>
</FONT></CODE></BODY>
</HTML>