[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#219377: SSHd: Ignores Pam Lockout When using SSH PubKey Auth

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 06 Nov 2003 at 05:09:48AM -0500, Matthew Vernon wrote:
> This is trivially true - all passwd -l does it make the password field
> in the {shadow,passwd} file be a value that nothing encrypts to, thus
> preventing successful password authentication.
> 
> If a user is using publickey authentication, then no password check is
> made (that's rather the point) - therefore it will be impossible to
> disable access by simply fiddling with the password file.
> 
> Accordingly, if a sysadmin wants to be able to disable accounts using
> passwd -l, then they'll have to enforce password authentication on all
> logins. 

Actually, using passwd -l adds a ! to the front of the password hash
which is easily detected.  In fact, passwd -S can detect this:

smeister L 05/29/2003 5 180 28 30

So I believe this is definitely something that is doable without forcing
passwords for every login.

- -- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
- --
Excuse #187: Fanout dropping voltage too much try cutting some of those little traces 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/qiIsS3Jybf3L5MQRAlG9AJwOIPMRrWTlnw0LxSwzQ3Ncx3JjEgCdGyOR
SEJufigXSn53Y6dXMbHiy6A=
=YpHt
-----END PGP SIGNATURE-----
Reply to: