Re: SSH ignores locked accounts

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 11/23/03


Date: Sun, 23 Nov 2003 10:58:40 -0500


"Darren Tucker" <dtucker@dodgy.net.au> wrote in message
news:bp6gfk$21m$1@gate.dodgy.net.au...
> In article <k5adnXSf1IAtoCuiRVn-jA@comcast.com>,
> Nico Kadel-Garcia <nkadel@comcast.net> wrote:
> >> [about sshd honouring locked accounts]
> >
> >In many environments, this "insecurity" is a very big feature. By forcing
> >the remote users to use SSH key access rather than password based access,
it
> >allows a very fine grade of control over who has access to the account in
> >question.
>
> You can still get this behaviour if that's what you want, just not by
> locking the account.
>
> Set the passwd entry to something that isn't the lock string but isn't a
> valid password either. Solaris, for example, uses the literal string "NP"
> for "Not Participating". This is mentioned in the sshd man page.

True! But it's information stored in a rather non-standard way. Many user
configuration tools use their own default string, usually "*", to lock
accounts. And the console "passwd" or "yppasswd" command does not usually
allow the use of pre-encrypted passwords, so you have to either edit
/etc/shadow or /etc/passwd by hand (always dangerous and prone to typos!),
or re-rewritng your user configuration tools to add a new "NP" option, etc.

I'm just saying it's adding an additional password option in a non-standard
way that takes some extra maintenance by your admins.