Re: adduser: what is the difference between --disabled-password and--disabled-login

To: debian-devel@lists.debian.org
Subject: Re: adduser: what is the difference between --disabled-password and--disabled-login
From: Marc Haber <mh+debian-devel@zugschlus.de>
Date: Thu, 12 May 2005 20:18:59 +0200
Message-id: <[🔎] E1DWIGx-00013w-9T@scyw00225>
In-reply-to: <[🔎] 20050510224033.GL27213@rakefet>
References: <[🔎] 20050509123406.GI27213@rakefet> <[🔎] E1DVAyE-0005Ma-KY@scyw00225> <[🔎] 20050509171427.GA5337@www.lobefin.net> <[🔎] 20050510224033.GL27213@rakefet>

On Wed, 11 May 2005 01:40:33 +0300, Shaul Karl <shaulk@013.net> wrote:
>The way I understand it, the effect of ! or * is identical.

No.

>Alternatively, the difference is set by the configuration of pam, which,
>I believe, is out of adduser scope. This match my experience that login
>through SSH RSA key is possible even if a '!' is used.
>  In any case, am I right that adduser's --disabled-login and 
>--disabled-password looks to be the same?

Once again, it is "UsePam yes" in the default /etc/ssh/sshd_config
which breaks things.

If that option is switched off, an account created with adduser
--disabled-login is impossible to ssh into (log entry "sshd[14704]:
User testuser not allowed because account is locked") while an account
created with adduser --disabled-password can ssh in fine via
authorized_keys.

"UsePam yes" is generally a _big_ surprise for the local admin since
it allows passwords to be used even if "UsePasswordAuthentification
no" is set in sshd_config.

Looks like we have just found the second security option which is
broken by "UsePam yes". Bad, very bad.

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Reply to:

Follow-Ups:
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Russ Allbery <rra@stanford.edu>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Brian May <bam@debian.org>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Frederik Dannemare <frederik@dannemare.net>

References:
- adduser: what is the difference between --disabled-password and--disabled-login
  - From: Shaul Karl <shaulk@013.net>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Stephen Gran <sgran@debian.org>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Shaul Karl <shaulk@013.net>

Prev by Date: Re: Bug#308725: ITP: dhcpv6 -- a stateful address autoconfiguration protocol for IPv6
Next by Date: Bug#308873: ITP: mercurial -- scalable distributed SCM
Previous by thread: Re: adduser: what is the difference between --disabled-password and--disabled-login
Next by thread: Re: adduser: what is the difference between --disabled-password and--disabled-login
Index(es):
- Date
- Thread