View | Details | Raw Unified | Return to bug 729
Collapse All | Expand All

(-)auth.c.orig (-1 / +1 lines)
Lines 131-137 Link Here
131
#endif
131
#endif
132
132
133
	/* check for locked account */ 
133
	/* check for locked account */ 
134
	if (!options.use_pam && passwd && *passwd) {
134
	if (!options.use_pam && passwd && *passwd && options.deny_locked_accounts) {
135
		int locked = 0;
135
		int locked = 0;
136
136
137
#ifdef LOCKED_PASSWD_STRING
137
#ifdef LOCKED_PASSWD_STRING
(-)servconf.c.orig (+10 lines)
Lines 100-105 Link Here
100
	options->client_alive_count_max = -1;
100
	options->client_alive_count_max = -1;
101
	options->authorized_keys_file = NULL;
101
	options->authorized_keys_file = NULL;
102
	options->authorized_keys_file2 = NULL;
102
	options->authorized_keys_file2 = NULL;
103
	options->deny_locked_accounts = -1;
103
104
104
	/* Needs to be accessable in many places */
105
	/* Needs to be accessable in many places */
105
	use_privsep = -1;
106
	use_privsep = -1;
Lines 225-230 Link Here
225
	if (options->authorized_keys_file == NULL)
226
	if (options->authorized_keys_file == NULL)
226
		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
227
		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
227
228
229
	if (options->deny_locked_accounts == -1)
230
		options->deny_locked_accounts = 1;
231
228
	/* Turn privilege separation on by default */
232
	/* Turn privilege separation on by default */
229
	if (use_privsep == -1)
233
	if (use_privsep == -1)
230
		use_privsep = 1;
234
		use_privsep = 1;
Lines 264-269 Link Here
264
	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
268
	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
265
	sGssAuthentication, sGssCleanupCreds,
269
	sGssAuthentication, sGssCleanupCreds,
266
	sUsePrivilegeSeparation,
270
	sUsePrivilegeSeparation,
271
	sDenyLockedAccounts,
267
	sDeprecated, sUnsupported
272
	sDeprecated, sUnsupported
268
} ServerOpCodes;
273
} ServerOpCodes;
269
274
Lines 355-360 Link Here
355
	{ "authorizedkeysfile", sAuthorizedKeysFile },
360
	{ "authorizedkeysfile", sAuthorizedKeysFile },
356
	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
361
	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
357
	{ "useprivilegeseparation", sUsePrivilegeSeparation},
362
	{ "useprivilegeseparation", sUsePrivilegeSeparation},
363
	{ "denylockedaccounts", sDenyLockedAccounts },
358
	{ NULL, sBadOption }
364
	{ NULL, sBadOption }
359
};
365
};
360
366
Lines 731-736 Link Here
731
		intptr = &options->allow_tcp_forwarding;
737
		intptr = &options->allow_tcp_forwarding;
732
		goto parse_flag;
738
		goto parse_flag;
733
739
740
	case sDenyLockedAccounts:
741
		intptr = &options->deny_locked_accounts;
742
		goto parse_flag;
743
734
	case sUsePrivilegeSeparation:
744
	case sUsePrivilegeSeparation:
735
		intptr = &use_privsep;
745
		intptr = &use_privsep;
736
		goto parse_flag;
746
		goto parse_flag;
(-)servconf.h.orig (+1 lines)
Lines 123-128 Link Here
123
	char   *authorized_keys_file;	/* File containing public keys */
123
	char   *authorized_keys_file;	/* File containing public keys */
124
	char   *authorized_keys_file2;
124
	char   *authorized_keys_file2;
125
	int	use_pam;		/* Enable auth via PAM */
125
	int	use_pam;		/* Enable auth via PAM */
126
	int	deny_locked_accounts;
126
}       ServerOptions;
127
}       ServerOptions;
127
128
128
void	 initialize_server_options(ServerOptions *);
129
void	 initialize_server_options(ServerOptions *);
(-)sshd_config.5.orig (+6 lines)
Lines 194-199 Link Here
194
Only group names are valid; a numerical group ID is not recognized.
194
Only group names are valid; a numerical group ID is not recognized.
195
By default, login is allowed for all groups.
195
By default, login is allowed for all groups.
196
.Pp
196
.Pp
197
.It Cm DenyLockedAccounts
198
Specifies whether accounts that are "locked" are denied access no matter
199
what authentication method is used. This only takes effect for non-PAM
200
authentication, and it serves to deny even public-key access to an account
201
that has a locked password. The default is to deny locked users.
202
.Pp
197
.It Cm DenyUsers
203
.It Cm DenyUsers
198
This keyword can be followed by a list of user name patterns, separated
204
This keyword can be followed by a list of user name patterns, separated
199
by spaces.
205
by spaces.
(-)sshd_config.orig (+6 lines)
Lines 92-96 Link Here
92
# no default banner path
92
# no default banner path
93
#Banner /some/path
93
#Banner /some/path
94
94
95
# By default, accounts that are "locked" are denied regardless of
96
# authentication method. This disables that behavior, which may be
97
# appropriate for systems that *only* used locked accounts and never
98
# permit PasswordAuthnetication.
99
#DenyLockedAccounts no
100
95
# override default of no subsystems
101
# override default of no subsystems
96
Subsystem	sftp	/usr/libexec/sftp-server
102
Subsystem	sftp	/usr/libexec/sftp-server

Return to bug 729