cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c

Eygene Ryabinkin rea-fbsd at codelabs.ru
Thu Apr 26 13:58:58 UTC 2007 

Alexander, good day.

Thu, Apr 26, 2007 at 01:54:59PM +0300, Alexandr Kovalenko wrote:
> >     In account management, verify whether the account has been locked
> >     with `pw lock', so that it's impossible to log into a locked account
> >     using an alternative authentication mechanism, such as an ssh key.
> >     This change affects only accounts locked with pw(8), i.e., having a
> >     `*LOCKED*' prefix in their password hash field, so people still can
> >     use a different pattern to disable password authentication only.
> 
> Using the very same logic you should also add checking for '*', and for
> any other string, which cannot be in password hash of different
> algorithms.

No, Yar is talking about the _locked_ accounts only. '*' means
that user will not be able to authenticate with password.

> By the way, what if some crypto algorithm, which will be
> used for password hashing can produce hash, which contains substring
> '*LOCKED*' ?

We are not talking about the _substring_ -- we are talking about
_prefix_. Look into your /etc/master.passwd -- every password starts
with the '$<something>$' sequence that identifies the hashing algo.
So _no_ valid password field will have anything that starts with
'*' as the prefix.

> But anyway, I think that it is not expected behavour of sshd/pam_unix.
> 
> >From the pw manual page:
> 
> USER LOCKING
> 	 The pw utility supports a simple _password_ locking mechanism for
> 	 users; it works by prepending the string `*LOCKED*' to the
> 	 beginning of the password field in master.passwd to prevent
> 	 successful authentication.
> 
> Please note word _password_. There is nothing about locking _account_
> completely.

It is arguably as the 'ps' page talks about passwords only, but
can mean the accounts, because it was written with the password-auth
in mind. Moreover, the next paragraph is:
-----
  The lock and unlock commands take a user name or uid of the account to
  lock or unlock, respectively.  The -V, -C, and -q options as described
  above are accepted by these commands.
-----
Note the 'account' word in it.

> Please consider reviewing this PR and, hopefully, back out this commit.
> At least for a lot of people - it is POLA violation.

I think that it should be discuissed. Perhaps the Cerie's proposition
should be takes as the basis.

My two cents.
-- 
Eygene

More information about the cvs-src mailing list