278 – ssh allows auto login even if account is locked

Bug 278 - ssh allows auto login even if account is locked

Summary: ssh allows auto login even if account is locked

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	UltraSPARC Solaris

Importance:	P2 normal
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-06-15 04:35 AEST by Bryan Baughman
Modified:	2004-04-14 12:24 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bryan Baughman 2002-06-15 04:35:23 AEST

Set up authorized_keys(2) file on the server.
Verify that automated login works.
lock the users account: passwd -l accountname
ssh to the server, it will let you in.

Comment 1 Darren J Moffat 2002-06-15 04:56:09 AEST

This happens because sshd with public-key login does not call pam_authenticate,
but does call pam_acct_mgmt.  In the pam_unix.so module that is shipped in
Solaris 8 there is no explicity account locked check.

This has been fixed in Solaris 9 and a fix for Solaris 8 is currently underway.
OpenSSH is not broken in anyway, this is a Solaris bug that only appears
when PAM applications call pam_acct_mgmt without having first called 
pam_authenticate.

In the mean time a workaround would be to write a simple pam module that stacks
above or below pam_unix that checks for the string *LK* in sp->spwdp for the
user defined in PAM_USER.

Comment 2 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED