Bugzilla – Attachment 237 Details for
Bug 442
sshd allows login via public-key when account locked
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Check for locked accounts, as specified by configure.
openssh-pwlock6.patch (text/plain), 5.01 KB, created by
Darren Tucker
on 2003-02-23 22:53:18 AEDT
(
hide
)
Description:
Check for locked accounts, as specified by configure.
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2003-02-23 22:53:18 AEDT
Size:
5.01 KB
patch
obsolete
>Index: acconfig.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v >retrieving revision 1.148 >diff -u -r1.148 acconfig.h >--- acconfig.h 28 Jan 2003 00:33:44 -0000 1.148 >+++ acconfig.h 23 Feb 2003 11:09:07 -0000 >@@ -374,6 +374,11 @@ > /* Some systems put this outside of libc */ > #undef HAVE_NANOSLEEP > >+/* Strings used in /etc/passwd to denote locked account */ >+#undef LOCKED_PASSWD_STRING >+#undef LOCKED_PASSWD_PREFIX >+#undef LOCKED_PASSWD_SUBSTR >+ > @BOTTOM@ > > /* ******************* Shouldn't need to edit below this line ************** */ >Index: auth.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v >retrieving revision 1.67 >diff -u -r1.67 auth.c >--- auth.c 18 Jan 2003 05:24:06 -0000 1.67 >+++ auth.c 23 Feb 2003 11:28:55 -0000 >@@ -72,7 +72,7 @@ > allowed_user(struct passwd * pw) > { > struct stat st; >- const char *hostname = NULL, *ipaddr = NULL; >+ const char *hostname = NULL, *ipaddr = NULL, *passwd; > char *shell; > int i; > #ifdef WITH_AIXAUTHENTICATE >@@ -120,6 +120,37 @@ > } > } > #endif >+ >+ /* grab passwd field for locked account check */ >+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) >+ passwd = spw->sp_pwdp; >+#else >+ passwd = pw->pw_passwd; >+#endif >+ >+ /* check for locked account */ >+ if (passwd && *passwd) { >+ int locked = 0; >+ >+#ifdef LOCKED_PASSWD_STRING >+ if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) >+ locked = 1; >+#endif >+#ifdef LOCKED_PASSWD_PREFIX >+ if (strncmp(passwd, LOCKED_PASSWD_PREFIX, >+ strlen(LOCKED_PASSWD_PREFIX)) == 0) >+ locked = 1; >+#endif >+#ifdef LOCKED_PASSWD_SUBSTR >+ if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) >+ locked = 1; >+#endif >+ if (locked) { >+ log("User %.100s not allowed because account is locked", >+ pw->pw_name); >+ return 0; >+ } >+ } > > /* > * Get the shell from the password data. An empty shell field is >Index: configure.ac >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v >retrieving revision 1.106 >diff -u -r1.106 configure.ac >--- configure.ac 10 Feb 2003 23:04:03 -0000 1.106 >+++ configure.ac 23 Feb 2003 11:08:45 -0000 >@@ -126,6 +126,7 @@ > AC_DEFINE(DISABLE_SHADOW) > AC_DEFINE(DISABLE_UTMP) > AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT) >+ AC_DEFINE(LOCKED_PASSWD_STRING, "*") > LIBS="$LIBS -lsec -lsecpw" > AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) > disable_ptmx_check=yes >@@ -142,6 +143,7 @@ > AC_DEFINE(DISABLE_SHADOW) > AC_DEFINE(DISABLE_UTMP) > AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT) >+ AC_DEFINE(LOCKED_PASSWD_STRING, "*") > LIBS="$LIBS -lsec" > AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) > ;; >@@ -155,6 +157,7 @@ > AC_DEFINE(DISABLE_SHADOW) > AC_DEFINE(DISABLE_UTMP) > AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT) >+ AC_DEFINE(LOCKED_PASSWD_STRING, "*") > LIBS="$LIBS -lsec" > AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) > ;; >@@ -183,6 +186,7 @@ > AC_DEFINE(PAM_TTY_KLUDGE) > AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV) > AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0') >+ AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") > inet6_default_4in6=yes > ;; > mips-sony-bsd|mips-sony-newsos4) >@@ -216,6 +220,7 @@ > AC_DEFINE(LOGIN_NEEDS_UTMPX) > AC_DEFINE(LOGIN_NEEDS_TERM) > AC_DEFINE(PAM_TTY_KLUDGE) >+ AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") > # hardwire lastlog location (can't detect it on some versions) > conf_lastlog_location="/var/adm/lastlog" > AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) >@@ -336,6 +341,7 @@ > fi > fi > AC_DEFINE(DISABLE_FD_PASSING) >+ AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") > ;; > > *-*-nto-qnx) >Index: sshd.8 >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.8,v >retrieving revision 1.150 >diff -u -r1.150 sshd.8 >--- sshd.8 25 Sep 2002 02:20:54 -0000 1.150 >+++ sshd.8 23 Feb 2003 11:41:59 -0000 >@@ -112,6 +112,29 @@ > authentication, RSA challenge-response authentication, or password > based authentication. > .Pp >+Regardless of the authentication type, the account is checked to >+ensure that it is accessible. An account is not accessible if it is >+locked, listed in >+.Cm DenyUsers >+or its group is listed in >+.Cm DenyGroups >+\&. The definition of a locked account is system dependant. Some platforms >+have their own account database (eg AIX) and some modify the passwd field ( >+.Ql \&*LK\&* >+on Solaris, >+.Ql \&* >+on HP-UX, containing >+.Ql Nologin >+on Tru64 and a leading >+.Ql \&!! >+on Linux). If there is a requirement to disable password authentication >+for the account while allowing still public-key, then the passwd field >+should be set to something other than these values (eg >+.Ql NP >+or >+.Ql \&*NP\&* >+). >+.Pp > Rhosts authentication is normally disabled > because it is fundamentally insecure, but can be enabled in the server > configuration file if desired.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=237">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 442
:
181
|
183
|
237
|
239
|
249
|
368
|
370