Attachment #477 for bug #729

View | Details | Raw Unified | Return to bug 729
Collapse All | Expand All

Lines 131-137 Link Here

(-)auth.c.orig (-1 / +1 lines)
131	#endif	131	#endif
132		132
133	/* check for locked account */	133	/* check for locked account */
134	if (!options.use_pam && passwd && *passwd) {	134	if (!options.use_pam && passwd && *passwd && options.deny_locked_accounts) {
135	int locked = 0;	135	int locked = 0;
136		136
137	#ifdef LOCKED_PASSWD_STRING	137	#ifdef LOCKED_PASSWD_STRING

Lines 100-105 Link Here

(-)servconf.c.orig (+10 lines)
100	options->client_alive_count_max = -1;	100	options->client_alive_count_max = -1;
101	options->authorized_keys_file = NULL;	101	options->authorized_keys_file = NULL;
102	options->authorized_keys_file2 = NULL;	102	options->authorized_keys_file2 = NULL;
		103	options->deny_locked_accounts = -1;
103		104
104	/* Needs to be accessable in many places */	105	/* Needs to be accessable in many places */
105	use_privsep = -1;	106	use_privsep = -1;
Lines 225-230 Link Here
225	if (options->authorized_keys_file == NULL)	226	if (options->authorized_keys_file == NULL)
226	options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;	227	options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
227		228
		229	if (options->deny_locked_accounts == -1)
		230	options->deny_locked_accounts = 1;
		231
228	/* Turn privilege separation on by default */	232	/* Turn privilege separation on by default */
229	if (use_privsep == -1)	233	if (use_privsep == -1)
230	use_privsep = 1;	234	use_privsep = 1;
Lines 264-269 Link Here
264	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	268	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
265	sGssAuthentication, sGssCleanupCreds,	269	sGssAuthentication, sGssCleanupCreds,
266	sUsePrivilegeSeparation,	270	sUsePrivilegeSeparation,
		271	sDenyLockedAccounts,
267	sDeprecated, sUnsupported	272	sDeprecated, sUnsupported
268	} ServerOpCodes;	273	} ServerOpCodes;
269		274
Lines 355-360 Link Here
355	{ "authorizedkeysfile", sAuthorizedKeysFile },	360	{ "authorizedkeysfile", sAuthorizedKeysFile },
356	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },	361	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
357	{ "useprivilegeseparation", sUsePrivilegeSeparation},	362	{ "useprivilegeseparation", sUsePrivilegeSeparation},
		363	{ "denylockedaccounts", sDenyLockedAccounts },
358	{ NULL, sBadOption }	364	{ NULL, sBadOption }
359	};	365	};
360		366
Lines 731-736 Link Here
731	intptr = &options->allow_tcp_forwarding;	737	intptr = &options->allow_tcp_forwarding;
732	goto parse_flag;	738	goto parse_flag;
733		739
		740	case sDenyLockedAccounts:
		741	intptr = &options->deny_locked_accounts;
		742	goto parse_flag;
		743
734	case sUsePrivilegeSeparation:	744	case sUsePrivilegeSeparation:
735	intptr = &use_privsep;	745	intptr = &use_privsep;
736	goto parse_flag;	746	goto parse_flag;

Lines 123-128 Link Here

(-)servconf.h.orig (+1 lines)
123	char authorized_keys_file; / File containing public keys */	123	char authorized_keys_file; / File containing public keys */
124	char *authorized_keys_file2;	124	char *authorized_keys_file2;
125	int use_pam; /* Enable auth via PAM */	125	int use_pam; /* Enable auth via PAM */
		126	int deny_locked_accounts;
126	} ServerOptions;	127	} ServerOptions;
127		128
128	void initialize_server_options(ServerOptions *);	129	void initialize_server_options(ServerOptions *);

Lines 194-199 Link Here

(-)sshd_config.5.orig (+6 lines)
194	Only group names are valid; a numerical group ID is not recognized.	194	Only group names are valid; a numerical group ID is not recognized.
195	By default, login is allowed for all groups.	195	By default, login is allowed for all groups.
196	.Pp	196	.Pp
		197	.It Cm DenyLockedAccounts
		198	Specifies whether accounts that are "locked" are denied access no matter
		199	what authentication method is used. This only takes effect for non-PAM
		200	authentication, and it serves to deny even public-key access to an account
		201	that has a locked password. The default is to deny locked users.
		202	.Pp
197	.It Cm DenyUsers	203	.It Cm DenyUsers
198	This keyword can be followed by a list of user name patterns, separated	204	This keyword can be followed by a list of user name patterns, separated
199	by spaces.	205	by spaces.

Lines 92-96 Link Here

(-)sshd_config.orig (+6 lines)
92	# no default banner path	92	# no default banner path
93	#Banner /some/path	93	#Banner /some/path
94		94
		95	# By default, accounts that are "locked" are denied regardless of
		96	# authentication method. This disables that behavior, which may be
		97	# appropriate for systems that only used locked accounts and never
		98	# permit PasswordAuthnetication.
		99	#DenyLockedAccounts no
		100
95	# override default of no subsystems	101	# override default of no subsystems
96	Subsystem sftp /usr/libexec/sftp-server	102	Subsystem sftp /usr/libexec/sftp-server

Return to bug 729