Bug#219377: Debian bug #219377: further info

To: Darren Tucker <dtucker@zip.com.au>, 219377@bugs.debian.org
Cc: Phillip Hofmeister <plhofmei@zionlth.org>, control@bugs.debian.org
Subject: Bug#219377: Debian bug #219377: further info
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 22 Feb 2004 17:45:07 +0000
Message-id: <[🔎] 20040222174507.GA1801@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 219377@bugs.debian.org
In-reply-to: <3FADE0D1.C156596C@zip.com.au>
References: <3FADE0D1.C156596C@zip.com.au>

severity 219377 wishlist
thanks

On Sun, Nov 09, 2003 at 05:38:09PM +1100, Darren Tucker wrote:
> 	I have some further info regarding the Debian bug you reported ("sshd
> ignores PAM lockout when using pubkey auth").
> 
> 	Recently this was addressed in the upstream source (3.7p1 and up) for the
> non-PAM case.  On platforms that have a concept of a locked account, sshd
> checks for the specific string that denotes a locked account on that
> platform.
> 
> 	When running with PAM enabled, however, sshd delegates all account checks
> to PAM.  Thus the locked account check should be done by PAM (probably in
> pam_acct_mgmt).
> 
> 	Later patchlevels of Solaris do this kind of check in PAM (I think in
> pam_acct_mgmt, but I'm not sure of that).

To lock an account, I think you should set the shell to /bin/false or
/dev/null or similar. Having asked around, I know people who
deliberately lock the password to force public-key authentication only;
implementing this feature request would break that facility.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Bug#219377: Debian bug #219377: further info
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Bug#73611: (no subject)
Next by Date: Bug#231485: marked as done (Dies with hash mismatch error before login)
Previous by thread: Bug#73611: (no subject)
Next by thread: Bug#219377: Debian bug #219377: further info
Index(es):
- Date
- Thread