On an account with no password ("user" on a Nokia N900), I set up RSA authentication, but ssh still asked me a password. After looking at sshd debug messages on the N900 (server from OpenSSH 5.1p1), I saw that this was because the account was locked. This surprised me because there is no such behavior with OpenSSH 4.7p1 on the N810. In fact I wasn't aware of the notion of locked accounts for ssh until now. So, I think it would be better for the end user if ssh output an error message saying that the account is locked instead of asking a password. Or would that be a security problem? If yes, even if the server checks that the public key is authorized and outputs the error message only in this case? Also, though the sshd(8) man page has a paragraph about locked accounts, there's nothing in the ssh(1) man page.
(In reply to Vincent Lefevre from comment #0) > So, I think it would be better for the end user if ssh output an > error message saying that the account is locked instead of asking a > password. Or would that be a security problem? If yes, even if the > server checks that the public key is authorized and outputs the > error message only in this case? Sorry for the inconvenience but I don't think we're going to change the behaviour. It's poor form to leak information to unauthorized users (and in the case where the account is locked, the user is not authorized). > Also, though the sshd(8) man page has a paragraph about locked > accounts, there's nothing in the ssh(1) man page. This is behaviour is entirely within sshd, so attempting to document it in ssh would be incorrect.
(In reply to Darren Tucker from comment #1) > This is behaviour is entirely within sshd, so attempting to document > it in ssh would be incorrect. I disagree. The ssh(1) man page has sshd information that can be useful to the ssh user, e.g. it mentions ~/.ssh/authorized_keys, ~/.ssh/known_hosts and ~/.ssh/rc files, which are only used by sshd. Note that the first one is also about authorization.
Close all resolved bugs after 7.3p1 release