cvs commit: src/share/man/man5 passwd.5

Ceri Davies ceri at submonkey.net
Mon Sep 19 09:52:30 PDT 2005


On Mon, Sep 19, 2005 at 03:20:20PM +0300, Giorgos Keramidas wrote:
> On 2005-09-18 23:24, Ceri Davies <ceri at submonkey.net> wrote:
> >On Sun, Sep 18, 2005 at 11:31:09PM +0300, Giorgos Keramidas wrote:
> >>On 2005-09-18 20:16, Gavin Atkinson <gavin.atkinson at ury.york.ac.uk> wrote:
> >>> On Sun, 18 Sep 2005, Giorgos Keramidas wrote:
> >>> > Modified files:
> >>> >   share/man/man5       passwd.5
> >>> > Log:
> >>> > Explain the use of `*' in master.passwd and that it's slightly
> >>> > different from the use of `*' in /etc/passwd.
> >>>
> >>> +.Nm master.passwd
> >>> +file, a password of
> >>> +.Ql *
> >>> +is used to indicate that no one can ever log into that account.
> >>> +The field only contains encrypted passwords, and
> >>> +.Ql *
> >>> +can never be the result of encrypting a password.
> >>>
> >>> This is not strictly true - all it prevents is logins using passwords.
> >>> Passwordless logins using SSH public keys (for example) are unaffected.
> >
> > Since "pw lock" has been entering the string '*LOCKED*' for years now,
> > is there any reason why this has never been fed back to the OpenSSH
> > project for inclusion as LOCKED_PASSWD_STRING for FreeBSD?
> >
> > Then we can document that in passwd.5 too and usage can start to
> > converge.
> 
> Hi Ceri,
> 
> The `*' reference above in master.passwd is not really OpenSSH-related.
> I think I'm not 100% sure why you were reminded of OpenSSH.  Do you mean
> that we should document OpenSSH's and pw's ``*LOCKED*'' convention in
> there too?

What I'm getting at is that some operating systems allow a special *FOO
string in their (equivalent of) master.passwd file in order to indicate
that sshd should not allow users with that string in their entry to log
in.

For example, Solaris uses the string *NP* to indicate that a user has no
password - password authentication is therefore disabled for that user,
disallowing su, password-based ssh access, etc.  Cron jobs, key-based
auth, etc. continue to work.  It also supports *LK* which indicates that
an account is locked: in this case, cron jobs for the user will not be
run and ssh access is denied altogether.

The ssh bit works because OpenSSH knows that it should be looking for
the string *LK* and denying access if it is there.  Search for
LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c.

What I'm wondering is why OpenSSH doesn't know about *LOCKED*;  previous
discussions that I've had indicate that this is because we (the FreeBSD
project) haven't decided that *LOCKED* is canonical enough yet.

Ceri
-- 
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20050919/707ace37/attachment.bin


More information about the cvs-src mailing list