Re: disabled account accepting publickey authentication

From: Darren Tucker (dtucker@dodgy.net.au)
Date: 01/06/03

• Next message: Carl: "Re: SSH_RC_OK error message ?"
• Previous message: Richard E. Silverman: "Re: error "Protocol major versions differ: 1 vs. 2""
• In reply to: Richard E. Silverman: "Re: disabled account accepting publickey authentication"
• Next in thread: Brian Whitehead: "Re: disabled account accepting publickey authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: dtucker@dodgy.net.au (Darren Tucker)
Date: Mon, 06 Jan 2003 12:19:29 GMT

In article <m1lznqe8ovs.fsf@syrinx.oankali.net>,
Richard E. Silverman <slade@shore.net> wrote:
>>>>>> "DT" == Darren Tucker <dtucker@dodgy.net.au> writes:
> DT> In my opinion it's a bug. "Locked" should mean "can't be logged
> DT> into remotely".
>
>I don't think this is necessarily the right interpretation. The RedHat
>doc says "locks the account;" Solaris says "locks the password entry."

On Solaris, that depends on where you look. The man page for shadow
says of the password entry:

        A 13-character encrypted password for the user, a
        lock string to indicate that the login is not
        accessible, or no string, which shows that there
        is no password for the login.

>Rendering password entries
>unmatchable in this manner is a convenient way of allowing SSH password
>authentication for some accounts, but requiring something else
>(e.g. public-key) for others.

Solaris' no-password entry "*NP*" would seem ideal for that. You may
note my suggested patch explicitly checks for the "*LK*" string for
exactly that reason.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

• Next message: Carl: "Re: SSH_RC_OK error message ?"
• Previous message: Richard E. Silverman: "Re: error "Protocol major versions differ: 1 vs. 2""
• In reply to: Richard E. Silverman: "Re: disabled account accepting publickey authentication"
• Next in thread: Brian Whitehead: "Re: disabled account accepting publickey authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: 4.3p1 and idled ... idled stills notices that your session has been left alone ... This is on a Solaris 8 system. ... portability changelog that references tty behavior, but then again I may be ... Good judgement comes with experience. ... (SSH) Re: Cisse ... We're not talking about a judgement call here. ... fundamental ignorance of the laws. ... that contact with the hand was intentional is just that - interpretation. ... I can't see any excuse at all for flagging for offside from a throwin, however, ... (uk.sport.football.clubs.liverpool) Re: statically-linked executables ... not a supported ABI on Solaris and is pretty much guaranteed to break at ... just need to make sure that the linker finds static libraries first. ... Good judgement comes with experience. ... (comp.security.ssh) Re: redhat 5.3 :) ssh ... >it is supported and if such thing exists by redhat 5.3.Do u have any ... I don't know about an rpm, but building OpenSSH 3.7.1p2 from source ... (I didn't bother submitting a bug report since ... Good judgement comes with experience. ... (comp.unix.admin) Re: password-less logins on solaris 2.5.1 boxen - subtle troubles ... > Trying to set up password-less keypair logins between solaris 2.5.1 ... > boxes. ... I can get them to work with some usernames, ... Good judgement comes with experience. ... (SSH)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint