Mailing List Archive: [Bug 442] sshd allows login via public-key when account locked

[Bug 442] sshd allows login via public-key when account locked

Aug 23, 2003, 4:52 PM

Post #1 of 6 (953 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=442

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |627
nThis| |

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 442] sshd allows login via public-key when account locked [ In reply to ]

bugzilla-daemon at mindrot

Aug 23, 2003, 5:39 PM

Post #2 of 6 (938 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=442

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #249 is|0 |1
obsolete| |

------- Additional Comments From dtucker@zip.com.au 2003-08-24 11:39 -------
Created an attachment (id=368)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=368&action=view)
Check for locked accounts: update patch to -current.

Should the test be in a separate function, eg "int check_locked(char *passwd)"?

If none of the account checks are defined, the if block is dead code. Is it
worth adding "#if defined(LOCKED_PASSWD_STRING) || defined(...."?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 442] sshd allows login via public-key when account locked [ In reply to ]

bugzilla-daemon at mindrot

Aug 24, 2003, 4:13 PM

Post #3 of 6 (944 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=442

------- Additional Comments From djm@mindrot.org 2003-08-25 10:13 -------
(From update of attachment 368)
>-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
>- defined(HAS_SHADOW_EXPIRE)
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>+ if (!options.use_pam)
>+ spw = getspnam(pw->pw_name);
>+#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)

The !USE_PAM should be removed and replaced with a !options.use_pam. The
behaviour for UsePAM=no should be the same as being configured --without-pam.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 442] sshd allows login via public-key when account locked [ In reply to ]

bugzilla-daemon at mindrot

Aug 24, 2003, 4:37 PM

Post #4 of 6 (936 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=442

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #368 is|0 |1
obsolete| |

------- Additional Comments From dtucker@zip.com.au 2003-08-25 10:37 -------
Created an attachment (id=370)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=370&action=view)
Fix options.use_pam and log -> logit.

Whoops, missed that (and a log -> logit). Both fixed.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 442] sshd allows login via public-key when account locked [ In reply to ]

bugzilla-daemon at mindrot

Aug 24, 2003, 5:29 PM

Post #5 of 6 (941 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=442

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #370| |ok
Status| |

------- Additional Comments From djm@mindrot.org 2003-08-25 11:29 -------
(From update of attachment 370)
ok djm@

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.