bugzilla-daemon at mindrot.org
2002-Nov-24 03:23 UTC
[Bug 442] New: sshd allows login via public-key when account locked
http://bugzilla.mindrot.org/show_bug.cgi?id=442 Summary: sshd allows login via public-key when account locked Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au Observed on Redhat and Solaris. When openssh is configured without PAM, an account that is locked (via passwd -l) can still be logged into via public-key authentication. Although the password field is modified (to "*LK*" on Solaris or with a leading "!" on Redhat), allowed_user() does not test for those so if password authentication isn't used, the login still succeeds. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 442] sshd allows login via public-key when account locked
- [Bug 442] sshd allows login via public-key when account locked
- [Bug 442] sshd allows login via public-key when account locked
- [Bug 442] sshd allows login via public-key when account locked
- Test for locked account in auth.c (bug #442).