Attachment #237 for bug #442

Lines 374-379 Link Here

(-)acconfig.h (+5 lines)
374	/* Some systems put this outside of libc */	374	/* Some systems put this outside of libc */
375	#undef HAVE_NANOSLEEP	375	#undef HAVE_NANOSLEEP
376		376
		377	/* Strings used in /etc/passwd to denote locked account */
		378	#undef LOCKED_PASSWD_STRING
		379	#undef LOCKED_PASSWD_PREFIX
		380	#undef LOCKED_PASSWD_SUBSTR
		381
377	@BOTTOM@	382	@BOTTOM@
378		383
379	/* ***************** Shouldn't need to edit below this line ************ */	384	/* ***************** Shouldn't need to edit below this line ************ */




allowed_user(struct passwd * pw)
{
	struct stat st;
	const char *hostname = NULL, *ipaddr = NULL, *passwd;
	char *shell;
	int i;
#ifdef WITH_AIXAUTHENTICATE

		}
	}
#endif

    	/* grab passwd field for locked account check */
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	passwd = spw->sp_pwdp;
#else
	passwd = pw->pw_passwd;
#endif

	/* check for locked account */ 
	if (passwd && *passwd) {
		int locked = 0;

#ifdef LOCKED_PASSWD_STRING
		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
			 locked = 1;
#endif
#ifdef LOCKED_PASSWD_PREFIX
		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
			 locked = 1;
#endif
#ifdef LOCKED_PASSWD_SUBSTR
		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
			locked = 1;
#endif
		if (locked) {
			log("User %.100s not allowed because account is locked",
			    pw->pw_name);
			return 0;
		}
	}

	/*
	 * Get the shell from the password data.  An empty shell field is




	AC_DEFINE(DISABLE_SHADOW)
	AC_DEFINE(DISABLE_UTMP)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
	LIBS="$LIBS -lsec -lsecpw"
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
	disable_ptmx_check=yes

	AC_DEFINE(DISABLE_SHADOW)
	AC_DEFINE(DISABLE_UTMP)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
	LIBS="$LIBS -lsec"
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
	;;

	AC_DEFINE(DISABLE_SHADOW)
	AC_DEFINE(DISABLE_UTMP)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
	LIBS="$LIBS -lsec"
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
	;;

	AC_DEFINE(PAM_TTY_KLUDGE)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
	inet6_default_4in6=yes
	;;
mips-sony-bsd|mips-sony-newsos4)

	AC_DEFINE(LOGIN_NEEDS_UTMPX)
	AC_DEFINE(LOGIN_NEEDS_TERM)
	AC_DEFINE(PAM_TTY_KLUDGE)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
	# hardwire lastlog location (can't detect it on some versions)
	conf_lastlog_location="/var/adm/lastlog"
	AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)

		fi
	fi
	AC_DEFINE(DISABLE_FD_PASSING)
	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
	;;

*-*-nto-qnx)




authentication, RSA challenge-response authentication, or password
based authentication.
.Pp
Regardless of the authentication type, the account is checked to
ensure that it is accessible.  An account is not accessible if it is
locked, listed in
.Cm DenyUsers
or its group is listed in
.Cm DenyGroups
\&.  The definition of a locked account is system dependant. Some platforms
have their own account database (eg AIX) and some modify the passwd field (
.Ql \&*LK\&*
on Solaris,
.Ql \&*
on HP-UX, containing
.Ql Nologin
on Tru64 and a leading
.Ql \&!!
on Linux).  If there is a requirement to disable password authentication
for the account while allowing still public-key, then the passwd field
should be set to something other than these values (eg
.Ql NP
or
.Ql \&*NP\&*
).
.Pp
Rhosts authentication is normally disabled
because it is fundamentally insecure, but can be enabled in the server
configuration file if desired.

Return to bug 442

Lines 126-131 Link Here

(-)configure.ac (+6 lines)
126	AC_DEFINE(DISABLE_SHADOW)	126	AC_DEFINE(DISABLE_SHADOW)
127	AC_DEFINE(DISABLE_UTMP)	127	AC_DEFINE(DISABLE_UTMP)
128	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)	128	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
		129	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
129	LIBS="$LIBS -lsec -lsecpw"	130	LIBS="$LIBS -lsec -lsecpw"
130	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))	131	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))
131	disable_ptmx_check=yes	132	disable_ptmx_check=yes
Lines 142-147 Link Here
142	AC_DEFINE(DISABLE_SHADOW)	143	AC_DEFINE(DISABLE_SHADOW)
143	AC_DEFINE(DISABLE_UTMP)	144	AC_DEFINE(DISABLE_UTMP)
144	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)	145	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
		146	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
145	LIBS="$LIBS -lsec"	147	LIBS="$LIBS -lsec"
146	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))	148	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))
147	;;	149	;;
Lines 155-160 Link Here
155	AC_DEFINE(DISABLE_SHADOW)	157	AC_DEFINE(DISABLE_SHADOW)
156	AC_DEFINE(DISABLE_UTMP)	158	AC_DEFINE(DISABLE_UTMP)
157	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)	159	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
		160	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
158	LIBS="$LIBS -lsec"	161	LIBS="$LIBS -lsec"
159	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))	162	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))
160	;;	163	;;
Lines 183-188 Link Here
183	AC_DEFINE(PAM_TTY_KLUDGE)	186	AC_DEFINE(PAM_TTY_KLUDGE)
184	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)	187	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
185	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')	188	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
		189	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
186	inet6_default_4in6=yes	190	inet6_default_4in6=yes
187	;;	191	;;
188	mips-sony-bsd\|mips-sony-newsos4)	192	mips-sony-bsd\|mips-sony-newsos4)
Lines 216-221 Link Here
216	AC_DEFINE(LOGIN_NEEDS_UTMPX)	220	AC_DEFINE(LOGIN_NEEDS_UTMPX)
217	AC_DEFINE(LOGIN_NEEDS_TERM)	221	AC_DEFINE(LOGIN_NEEDS_TERM)
218	AC_DEFINE(PAM_TTY_KLUDGE)	222	AC_DEFINE(PAM_TTY_KLUDGE)
		223	AC_DEFINE(LOCKED_PASSWD_STRING, "LK")
219	# hardwire lastlog location (can't detect it on some versions)	224	# hardwire lastlog location (can't detect it on some versions)
220	conf_lastlog_location="/var/adm/lastlog"	225	conf_lastlog_location="/var/adm/lastlog"
221	AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)	226	AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
Lines 336-341 Link Here
336	fi	341	fi
337	fi	342	fi
338	AC_DEFINE(DISABLE_FD_PASSING)	343	AC_DEFINE(DISABLE_FD_PASSING)
		344	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
339	;;	345	;;
340		346
341	--nto-qnx)	347	--nto-qnx)

Lines 112-117 Link Here

(-)sshd.8 (+23 lines)
112	authentication, RSA challenge-response authentication, or password	112	authentication, RSA challenge-response authentication, or password
113	based authentication.	113	based authentication.
114	.Pp	114	.Pp
		115	Regardless of the authentication type, the account is checked to
		116	ensure that it is accessible. An account is not accessible if it is
		117	locked, listed in
		118	.Cm DenyUsers
		119	or its group is listed in
		120	.Cm DenyGroups
		121	\&. The definition of a locked account is system dependant. Some platforms
		122	have their own account database (eg AIX) and some modify the passwd field (
		123	.Ql \&LK\&
		124	on Solaris,
		125	.Ql \&*
		126	on HP-UX, containing
		127	.Ql Nologin
		128	on Tru64 and a leading
		129	.Ql \&!!
		130	on Linux). If there is a requirement to disable password authentication
		131	for the account while allowing still public-key, then the passwd field
		132	should be set to something other than these values (eg
		133	.Ql NP
		134	or
		135	.Ql \&NP\&
		136	).
		137	.Pp
115	Rhosts authentication is normally disabled	138	Rhosts authentication is normally disabled
116	because it is fundamentally insecure, but can be enabled in the server	139	because it is fundamentally insecure, but can be enabled in the server
117	configuration file if desired.	140	configuration file if desired.

Lines 72-78 Link Here

(-)auth.c (-1 / +32 lines)
72	allowed_user(struct passwd * pw)	72	allowed_user(struct passwd * pw)
73	{	73	{
74	struct stat st;	74	struct stat st;
75	const char hostname = NULL, ipaddr = NULL;	75	const char hostname = NULL, ipaddr = NULL, *passwd;
76	char *shell;	76	char *shell;
77	int i;	77	int i;
78	#ifdef WITH_AIXAUTHENTICATE	78	#ifdef WITH_AIXAUTHENTICATE
Lines 120-125 Link Here
120	}	120	}
121	}	121	}
122	#endif	122	#endif
		123
		124	/* grab passwd field for locked account check */
		125	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
		126	passwd = spw->sp_pwdp;
		127	#else
		128	passwd = pw->pw_passwd;
		129	#endif
		130
		131	/* check for locked account */
		132	if (passwd && *passwd) {
		133	int locked = 0;
		134
		135	#ifdef LOCKED_PASSWD_STRING
		136	if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
		137	locked = 1;
		138	#endif
		139	#ifdef LOCKED_PASSWD_PREFIX
		140	if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
		141	strlen(LOCKED_PASSWD_PREFIX)) == 0)
		142	locked = 1;
		143	#endif
		144	#ifdef LOCKED_PASSWD_SUBSTR
		145	if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
		146	locked = 1;
		147	#endif
		148	if (locked) {
		149	log("User %.100s not allowed because account is locked",
		150	pw->pw_name);
		151	return 0;
		152	}
		153	}
123		154
124	/*	155	/*
125	* Get the shell from the password data. An empty shell field is	156	* Get the shell from the password data. An empty shell field is