Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth

To: Phillip Hofmeister <plhofmei@zionlth.org>, 219377@bugs.debian.org
Subject: Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth
From: Matthew Vernon <matthew@sel.cam.ac.uk>
Date: Thu, 6 Nov 2003 10:09:48 +0000
Message-id: <[🔎] 16298.7660.760746.964446@rapun.sel.cam.ac.uk>
Reply-to: Matthew Vernon <matthew@sel.cam.ac.uk>, 219377@bugs.debian.org
In-reply-to: <[🔎] 20031106010020.GA19243@zionlth.org>
References: <[🔎] 20031106010020.GA19243@zionlth.org>

Phillip Hofmeister writes:
 > Package: ssh
 > Version: 3.4p1-1.woody.3
 > Severity: Important
 > 
 > If a ~/.ssh/authorized_key file exists and a user's account is locked
 > with 'passwd -l' the user can still log in despite the locked account.

This is trivially true - all passwd -l does it make the password field
in the {shadow,passwd} file be a value that nothing encrypts to, thus
preventing successful password authentication.

If a user is using publickey authentication, then no password check is
made (that's rather the point) - therefore it will be impossible to
disable access by simply fiddling with the password file.

Accordingly, if a sysadmin wants to be able to disable accounts using
passwd -l, then they'll have to enforce password authentication on all
logins. 

Matthew 

-- 
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org

Reply to:

Follow-Ups:
- Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

References:
- Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Bug#219402: templates poorly punctuated
Next by Date: Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth
Previous by thread: Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth
Next by thread: Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth
Index(es):
- Date
- Thread