Bugzilla – Attachment 477 Details for
Bug 729
Feature request + patch: DenyLockedAccounts option in sshd_config
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to add DenyLockedAccounts option to sshd_config
openssh-denylocked-patch.txt (text/plain), 4.26 KB, created by
Stephen J. Friedl
on 2003-10-06 04:41:53 AEST
(
hide
)
Description:
Patch to add DenyLockedAccounts option to sshd_config
Filename:
MIME Type:
Creator:
Stephen J. Friedl
Created:
2003-10-06 04:41:53 AEST
Size:
4.26 KB
patch
obsolete
> > From : Steve Friedl <steve at unixwiz.net> > ... no known relation to Markus Friedl :-) > > For: OpenSSH-3.7.1p2 > > The "locked account" behavior has hit quite a few people by surprise > (including me): most non-root accounts I create have locked passwords > and permit only pubkey authentication. 3.7.1p2 was a "surprise" > > This patch adds a "DenyLockedAccounts" option to the sshd_config file, > with a default of "yes" (the current behavior). If this is set to no, > the old behavior of allowing locked accounts to use pubkey will be used. > This won't have any effect on password authentication: a locked account > won't ever have a successful password match. > > The patch also updates the sshd_config man page and the sample config > file. > > I've tested the behavior with all three conditions: > > explicit "DenyLockedAccounts yes" > explicit "DenyLockedAccounts no" > default, un-optioned behavior > > and it's worked just fine on several systems without incident. > > To apply: > > # cd openssh-3.7.1p2 > > # patch -p0 --backup < /tmp/openssh-denylocked-patch.txt > >--- auth.c.orig 2003-10-04 21:56:27.000000000 +0000 >+++ auth.c 2003-10-04 22:26:23.000000000 +0000 >@@ -131,7 +131,7 @@ > #endif > > /* check for locked account */ >- if (!options.use_pam && passwd && *passwd) { >+ if (!options.use_pam && passwd && *passwd && options.deny_locked_accounts) { > int locked = 0; > > #ifdef LOCKED_PASSWD_STRING >--- servconf.c.orig 2003-10-04 22:01:15.000000000 +0000 >+++ servconf.c 2003-10-05 17:49:32.000000000 +0000 >@@ -100,6 +100,7 @@ > options->client_alive_count_max = -1; > options->authorized_keys_file = NULL; > options->authorized_keys_file2 = NULL; >+ options->deny_locked_accounts = -1; > > /* Needs to be accessable in many places */ > use_privsep = -1; >@@ -225,6 +226,9 @@ > if (options->authorized_keys_file == NULL) > options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; > >+ if (options->deny_locked_accounts == -1) >+ options->deny_locked_accounts = 1; >+ > /* Turn privilege separation on by default */ > if (use_privsep == -1) > use_privsep = 1; >@@ -264,6 +268,7 @@ > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, > sGssAuthentication, sGssCleanupCreds, > sUsePrivilegeSeparation, >+ sDenyLockedAccounts, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -355,6 +360,7 @@ > { "authorizedkeysfile", sAuthorizedKeysFile }, > { "authorizedkeysfile2", sAuthorizedKeysFile2 }, > { "useprivilegeseparation", sUsePrivilegeSeparation}, >+ { "denylockedaccounts", sDenyLockedAccounts }, > { NULL, sBadOption } > }; > >@@ -731,6 +737,10 @@ > intptr = &options->allow_tcp_forwarding; > goto parse_flag; > >+ case sDenyLockedAccounts: >+ intptr = &options->deny_locked_accounts; >+ goto parse_flag; >+ > case sUsePrivilegeSeparation: > intptr = &use_privsep; > goto parse_flag; >--- servconf.h.orig 2003-10-04 21:58:52.000000000 +0000 >+++ servconf.h 2003-10-04 21:59:06.000000000 +0000 >@@ -123,6 +123,7 @@ > char *authorized_keys_file; /* File containing public keys */ > char *authorized_keys_file2; > int use_pam; /* Enable auth via PAM */ >+ int deny_locked_accounts; > } ServerOptions; > > void initialize_server_options(ServerOptions *); >--- sshd_config.5.orig 2003-10-04 22:10:14.000000000 +0000 >+++ sshd_config.5 2003-10-05 17:48:51.000000000 +0000 >@@ -194,6 +194,12 @@ > Only group names are valid; a numerical group ID is not recognized. > By default, login is allowed for all groups. > .Pp >+.It Cm DenyLockedAccounts >+Specifies whether accounts that are "locked" are denied access no matter >+what authentication method is used. This only takes effect for non-PAM >+authentication, and it serves to deny even public-key access to an account >+that has a locked password. The default is to deny locked users. >+.Pp > .It Cm DenyUsers > This keyword can be followed by a list of user name patterns, separated > by spaces. >--- sshd_config.orig 2003-10-04 22:15:38.000000000 +0000 >+++ sshd_config 2003-10-04 22:23:02.000000000 +0000 >@@ -92,5 +92,11 @@ > # no default banner path > #Banner /some/path > >+# By default, accounts that are "locked" are denied regardless of >+# authentication method. This disables that behavior, which may be >+# appropriate for systems that *only* used locked accounts and never >+# permit PasswordAuthnetication. >+#DenyLockedAccounts no >+ > # override default of no subsystems > Subsystem sftp /usr/libexec/sftp-server
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=477">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 729
: 477