Bug 278

Summary: ssh allows auto login even if account is locked
Product: Portable OpenSSH Reporter: Bryan Baughman <bryan_baughman>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: bryan_baughman
Priority: P2    
Version: -current   
Hardware: UltraSPARC   
OS: Solaris   

Description Bryan Baughman 2002-06-15 04:35:23 AEST 
Set up authorized_keys(2) file on the server.
Verify that automated login works.
lock the users account: passwd -l accountname
ssh to the server, it will let you in.
Comment 1 Darren J Moffat 2002-06-15 04:56:09 AEST 
This happens because sshd with public-key login does not call pam_authenticate,
but does call pam_acct_mgmt.  In the pam_unix.so module that is shipped in
Solaris 8 there is no explicity account locked check.

This has been fixed in Solaris 9 and a fix for Solaris 8 is currently underway.
OpenSSH is not broken in anyway, this is a Solaris bug that only appears
when PAM applications call pam_acct_mgmt without having first called 
pam_authenticate.

In the mean time a workaround would be to write a simple pam module that stacks
above or below pam_unix that checks for the string *LK* in sp->spwdp for the
user defined in PAM_USER.
Comment 2 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED