bugzilla-daemon at mindrot.org
2005-Sep-09 09:50 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 Summary: Disable login for locked account Product: Portable OpenSSH Version: 4.2p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: senthilkumar_sen at hotpop.com In Some HP-UX systems sshd lets users to login with public key authentication even if their accounts are locked. This happens for the systems that lack shadow password feature. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Sep-09 10:02 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 ------- Additional Comments From senthilkumar_sen at hotpop.com 2005-09-09 20:02 ------- Created an attachment (id=955) --> (http://bugzilla.mindrot.org/attachment.cgi?id=955&action=view) Fix for denying login to locked account through public key The attached patch fixes the problem in those HP-UX systems which lack shadow passwords. This patch denies login to the account irrespective of whether shadow password feature is installed or not during system updates. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Sep-30 03:42 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #955| |ok+ Flag| | ------- Additional Comments From dtucker at zip.com.au 2005-09-30 13:42 ------- (From update of attachment 955) Seems reasonable to me, anyone else see any potential side effects? Especially with the HAVE_LIBIAF stuff that was recently added? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Oct-03 19:54 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 ------- Additional Comments From tim at multitalents.net 2005-10-04 05:54 ------- (In reply to comment #2)> (From update of attachment 955 [edit]) > Seems reasonable to me, anyone else see any potential side effects? Especially > with the HAVE_LIBIAF stuff that was recently added? >I don't see any problem with this in reguards to the HAVE_LIBIAF bits. But I fail to see the need for the change. On HP-UX systems that lack shadow passwords, I would expect USE_SHADOW to not be defned so it'll hit the else where passwd = pw->pw_passwd; Or are we running into a situation where the system has shadow.h but doesn't use shadow passowrds and ssh was configured without using the --without-shadow option? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Oct-04 09:36 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 ------- Additional Comments From senthilkumar_sen at hotpop.com 2005-10-04 19:36 ------->From comment #3, >Or are we running into a situation where the system has shadow.h but doesn't >use shadow passowrds and ssh was configured without using the --without-shadow >option?Yes, youre right. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Oct-05 02:25 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 ------- Additional Comments From dtucker at zip.com.au 2005-10-05 12:25 ------- Shadow passwords are a run-time installable feature on HP-UX (11.00 and 11.11 I think) but some of the infrastructure such as the getspnam() call is present on at least some versions without the feature. So I guess the question is: can it get into this situation with a normal HP-UX configuration (as opposed to a misconfigured system with mismatched includes/runtime)? Also, a slightly simpler patch would be to put the "passwd = pw->pw_passwd;" without the "if" before all of the #ifdefs. This should have the same behaviour as the proposed patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Oct-05 04:33 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 ------- Additional Comments From senthilkumar_sen at hotpop.com 2005-10-05 14:33 ------- (In reply to comment #5)> can it get into this situation with a normal HP-UX configuration?I assume this means a configuration with shadow feature installed. With this, spw will not be set to NULL unless getspnam fails for the user(bogus user). In 11.11, for a misconfigured system spw will be NULL and thus passwd also NULL. So I think this wont affect the Normal configuration and also my testing says it worked well for systems with normal configuration and problem happens only with misconfigured systems.>Also, a slightly simpler patch would be to put the "passwd = pw->pw_passwd;" >without the "if" before all of the #ifdefs.Yes, it will have same effect. One more thing, can we move that like below, const char *hostname = NULL, *ipaddr = NULL, *passwd = pw->pw_passwd; ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Oct-05 05:20 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 ------- Additional Comments From senthilkumar_sen at hotpop.com 2005-10-05 15:20 ------- In comment #6> const char *hostname = NULL, *ipaddr = NULL, *passwd = pw->pw_passwd;As there is a check for pw as given below, /* Shouldn't be called if pw is NULL, but better safe than sorry... */ I think we can do the passwd = pw->pw_passwd assignment after this. This occurs after the first #ifdef which is for shadow structure. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Oct-06 07:11 UTC
[Bug 1083] Disable login for locked account
http://bugzilla.mindrot.org/show_bug.cgi?id=1083 senthilkumar_sen at hotpop.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #955 is|0 |1 obsolete| | ------- Additional Comments From senthilkumar_sen at hotpop.com 2005-10-06 17:10 ------- Created an attachment (id=982) --> (http://bugzilla.mindrot.org/attachment.cgi?id=982&action=view) Patch to honour locked accounts for key based auth if shadow is not enabled. The patch is updated based on comments #5 and #7. I tested this by installing/uninstalling shadow feature at run time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- Test for locked account in auth.c (bug #442).
- [Bug 1032] PrintLastLog is not working with UseLogin yes
- [Bug 1030] sshd writes twice to wtmp when "UseLogin" is yes
- [Bug 980] sshd does not write the session leader pid to utmp when priv-separation is enabled
- [Bug 1011] Multiple log entries for successful pubkey authentication