Re: adduser: what is the difference between --disabled-password and--disabled-login
On Wed, 11 May 2005 01:40:33 +0300, Shaul Karl <shaulk@013.net> wrote:
>The way I understand it, the effect of ! or * is identical.
No.
>Alternatively, the difference is set by the configuration of pam, which,
>I believe, is out of adduser scope. This match my experience that login
>through SSH RSA key is possible even if a '!' is used.
> In any case, am I right that adduser's --disabled-login and
>--disabled-password looks to be the same?
Once again, it is "UsePam yes" in the default /etc/ssh/sshd_config
which breaks things.
If that option is switched off, an account created with adduser
--disabled-login is impossible to ssh into (log entry "sshd[14704]:
User testuser not allowed because account is locked") while an account
created with adduser --disabled-password can ssh in fine via
authorized_keys.
"UsePam yes" is generally a _big_ surprise for the local admin since
it allows passwords to be used even if "UsePasswordAuthentification
no" is set in sshd_config.
Looks like we have just found the second security option which is
broken by "UsePam yes". Bad, very bad.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: