[patch] LOCKED_PASSWD_STRING for FreeBSD

Jeremie Le Hen jeremie at le-hen.org
Wed Oct 5 22:36:15 EST 2005 

Hi Senthil,

> >I think it is pw(8) that do this locking in freebsd and also documented 
> >the
> >behaviour.
> 
> If thts the case I hope the attached patch may honour locked accounts in 
> freebsd.
> 
> Thnx,
> Senthil Kumar. 

> Index: configure.ac
> ===================================================================
> RCS file: /cvs/openssh/configure.ac,v
> retrieving revision 1.296
> diff -u -p -u -r1.296 configure.ac
> --- configure.ac	22 Sep 2005 10:19:54 -0000	1.296
> +++ configure.ac	4 Oct 2005 21:59:01 -0000
> @@ -398,6 +398,7 @@ mips-sony-bsd|mips-sony-newsos4)
> 	;;
> *-*-freebsd*)
> 	check_for_libcrypt_later=1
> +	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "*LOCKED*")
> 	;;
> *-*-bsdi*)
> 	AC_DEFINE(SETEUID_BREAKS_SETUID)

You are true, but currently the implementation doesn't seem to make
the difference.  I tried to lock "nobody", this does not prevent
cron jobs to be run, unfortunately.  In the same way, OpenSSH provided
in FreeBSD does not prevent from logging with keys when an account is
locked, but Dag-Erling Smorgrav swore to fix this soon in the source tree.

Your patch is better than mine, but not yet perfect :

% obiwan:root# grep nobody /etc/master.passwd 
% nobody:$1$p0WuUGm5$o5/Q1k7bUg/WTtmA2mwGV0:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
% obiwan:root# pw lock nobody
% obiwan:root# grep nobody /etc/master.passwd 
% nobody:*LOCKED*$1$p0WuUGm5$o5/Q1k7bUg/WTtmA2mwGV0:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin

(Don't be afraid, I have already removed nobody's password :-)).

I think we therefore should use LOCKED_PASSWD_PREFIX instead, the
updated patch is attached.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
-------------- next part --------------
Index: configure.ac
===================================================================
RCS file: /cvs/openssh/configure.ac,v
retrieving revision 1.296
diff -u -p -u -r1.296 configure.ac
--- configure.ac	22 Sep 2005 10:19:54 -0000	1.296
+++ configure.ac	5 Oct 2005 12:36:06 -0000
@@ -398,6 +398,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	;;
 *-*-freebsd*)
 	check_for_libcrypt_later=1
+	AC_DEFINED(LOCKED_PASSWD_PREFIX, "*LOCKED*")
 	;;
 *-*-bsdi*)
 	AC_DEFINE(SETEUID_BREAKS_SETUID)

More information about the openssh-unix-dev mailing list