openssh unix dev - Jan 2002 - locked account accessable via pubkey auth

maybe this is a silly question ;-) But why is it possible to login on a
machine with a locked account (passwd -l ) via pubkey-authentication
(authorized_keys) ?
I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not
happen.

If this is the normal behaviour and built in intentionally what would be the
easiest way to lock an account without deleting the users authorized_keys ?
If not, what output do you need to verify the problem ?

Alex

On Tue, 29 Jan 2002, Dost, Alexander wrote:
> maybe this is a silly question ;-) But why is it possible to
> login on a machine with a locked account (passwd -l ) via
> pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on
> Solaris8 with PAM support so I thought this should not happen.
>
> If this is the normal behaviour and built in intentionally what
> would be the easiest way to lock an account without deleting the
> users authorized_keys ? If not, what output do you need to verify
> the problem ?
"locking" an account is really locking the password, since you
are not using password authentication this is ignored. 

A way that should work is to mark the account as expired, or
just rename the ~/.ssh/authorized_keys file

-d

Thanks for the answer. Funny solution to my problem now is:
do a passwd -l and -f so the account is expired and locked. When logging in,
the user is asked to change the password (as password auth is enabled also)
and entering the old login pw fails :-) Dirty but working. I agree that
changing the authorized_keys file is a better way.
Thanks for the help.

Alex
> -----Original Message-----
> From:	Damien Miller [SMTP:djm at mindrot.org]
> Sent:	Tuesday, January 29, 2002 13:16
> To:	Dost, Alexander
> Cc:	openssh-unix-dev at mindrot.org
> Subject:	Re: locked account accessable via pubkey auth
> 
> On Tue, 29 Jan 2002, Dost, Alexander wrote:
> 
> > maybe this is a silly question ;-) But why is it possible to
> > login on a machine with a locked account (passwd -l ) via
> > pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on
> > Solaris8 with PAM support so I thought this should not happen.
> >
> > If this is the normal behaviour and built in intentionally what
> > would be the easiest way to lock an account without deleting the
> > users authorized_keys ? If not, what output do you need to verify
> > the problem ?
> 
> "locking" an account is really locking the password, since you
> are not using password authentication this is ignored. 
> 
> A way that should work is to mark the account as expired, or
> just rename the ~/.ssh/authorized_keys file
> 
> -d

If you have received this e-mail in error or wish to read our e-mail disclaimer
statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.

What we're doing is adding the users to a special group called
"disabled"
and we have "DenyGroups disabled" directive in our sshd_config file. 
Since
we're rolling out an account provisioning tool, we can customized it to add
the user to that group when they're disabled.  Alternatively, it could be
done manually by policies/procedures, but I don't trust our operations folk
to get it right.

Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501


-----Original Message-----
From: Dost, Alexander [mailto:Alexander.Dost at drkw.com]
Sent: Tuesday, January 29, 2002 6:28
To: 'Damien Miller'
Cc: openssh-unix-dev at mindrot.org
Subject: RE: locked account accessable via pubkey auth


Thanks for the answer. Funny solution to my problem now is:
do a passwd -l and -f so the account is expired and locked. When logging in,
the user is asked to change the password (as password auth is enabled also)
and entering the old login pw fails :-) Dirty but working. I agree that
changing the authorized_keys file is a better way.
Thanks for the help.

Alex
> -----Original Message-----
> From:	Damien Miller [SMTP:djm at mindrot.org]
> Sent:	Tuesday, January 29, 2002 13:16
> To:	Dost, Alexander
> Cc:	openssh-unix-dev at mindrot.org
> Subject:	Re: locked account accessable via pubkey auth
> 
> On Tue, 29 Jan 2002, Dost, Alexander wrote:
> 
> > maybe this is a silly question ;-) But why is it possible to
> > login on a machine with a locked account (passwd -l ) via
> > pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on
> > Solaris8 with PAM support so I thought this should not happen.
> >
> > If this is the normal behaviour and built in intentionally what
> > would be the easiest way to lock an account without deleting the
> > users authorized_keys ? If not, what output do you need to verify
> > the problem ?
> 
> "locking" an account is really locking the password, since you
> are not using password authentication this is ignored. 
> 
> A way that should work is to mark the account as expired, or
> just rename the ~/.ssh/authorized_keys file
> 
> -d

If you have received this e-mail in error or wish to read our e-mail
disclaimer statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020129/35ead2cb/attachment.html

On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander
wrote:
> maybe this is a silly question ;-) But why is it possible to login on a
> machine with a locked account (passwd -l ) via pubkey-authentication
> (authorized_keys) ?
> I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should
not
> happen.
Check the list archives and you'll find others with the same problem.
Noone has turned up a solution with Solaris 8/PAM yet.

-- 
albert chin (china at thewrittenword.com)

On Tue, 29 Jan 2002, Dost, Alexander wrote:
:maybe this is a silly question ;-) But why is it possible to login on a
:machine with a locked account (passwd -l ) via pubkey-authentication
:(authorized_keys) ?
:I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not
:happen.

what does rlogind do under the same conditions with host equivalency
configured?

:If this is the normal behaviour and built in intentionally what would be the
:easiest way to lock an account without deleting the users authorized_keys ?
:If not, what output do you need to verify the problem ?

in the PAM case, PAM decides, via pam_acct_mgmt().  if i do ``passwd -l
user'' on HP-UX i see:

Jan 29 07:34:26 jenny sshd[2601]: PAM rejected by account
configuration[28]: Account is disabled - see Account Administrator

If it is locked, the users is not allowed to change his own password. So he
can not unlock it. You get a permission denied when trying to do so.

Alex
> -----Original Message-----
> From:	Dan Kaminsky [SMTP:dan at doxpara.com]
> Sent:	Wednesday, January 30, 2002 09:48
> To:	Damien Miller; Frank Cusack
> Cc:	openssh-unix-dev at mindrot.org; Dost, Alexander
> Subject:	Re: locked account accessable via pubkey auth
> 
> > I don't think it is a bug even. Having accounts with locked
passwords,
> but
> > still accessible via pubkey auth is a very useful thing.
> 
> I agree, with one small caveat:  Can a user unlock his own password?
> 
> --Dan
>

I can only speak for Solaris (8). But the comand 'passwd -l' is
restricted
for root.
I think this behaviour is the same for all Solaris versions, as the only way
to unlock your password is to change it. Then the *LK* string is replaced by
the new password in /etc/shadow. But when you try to change your password
the first thing is to enter your login password, which is locked...

Alex
> -----Original Message-----
> From:	Dan Kaminsky [SMTP:dan at doxpara.com]
> Sent:	Wednesday, January 30, 2002 10:14
> To:	Dost, Alexander; Damien Miller; Frank Cusack
> Cc:	openssh-unix-dev at mindrot.org
> Subject:	Re: locked account accessable via pubkey auth
> 
> > If it is locked, the users is not allowed to change his own password.
So
> he
> > can not unlock it. You get a permission denied when trying to do so.
> 
> Actually, that's really useful and very cool!  Which platforms support
> this
> behavior -- just recent Solaris, or most Unixen?
> 
> Can a user lock their own account?
> 
> --Dan
> 
> 


If you have received this e-mail in error or wish to read our e-mail disclaimer
statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.

On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander
wrote:
> maybe this is a silly question ;-) But why is it possible to login on a
> machine with a locked account (passwd -l ) via pubkey-authentication
> (authorized_keys) ?
expired passwords are very different from expired accounts:

if a password is expired the password can longer be used.
if an account is expired the account can longer be used.

or am I missing something?

No, it's at best a really annoying "feature" but it feels more
like a bug.
Basically, it makes it a royal pain in the arse to disable an account when a
user leaves since all of the Solaris tools assume that passwd=*LK* means
that the account is disabled.  Hence, if you actually want to disable the
account you have to first use Sun's tool and additionally either change the
shell to /bin/false or similar, put the user in a group that's listed in
sshd_config's DenyGroups, go wipe out user keys and configs, or some other
kludge.  Kludging sucks.

Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501


-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org]
Sent: Tuesday, January 29, 2002 22:40
To: Frank Cusack
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


On Tue, 29 Jan 2002, Frank Cusack wrote:
> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > maybe this is a silly question ;-) But why is it possible to
login on
a
> > > machine with a locked account (passwd -l ) via
pubkey-authentication
> > > (authorized_keys) ?
> > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this
should not
> > > happen.
> > 
> > Check the list archives and you'll find others with the same
problem.
> > Noone has turned up a solution with Solaris 8/PAM yet.
> 
> huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can
> look into this, unfortunately not within a day or so.
I don't think it is a bug even. Having accounts with locked passwords, but
still accessible via pubkey auth is a very useful thing.

-d


_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020130/0d7eed4a/attachment.html

As an interesting side note, HP-UX used to also have this problem, but I
just tested on an 11.0 trusted HP-UX box and disabling my account in SAM did
actually disable it to ssh.  Unfortunately, we don't have any untrusted
systems, so I can't tell if it's a ramification of the HPs whole tcb
shananigans (their version of shadow files) or if all of HP is similarly
fixed.
 
Also, I'm pretty sure that this behavior in Solaris way predated version 8.
 

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 

-----Original Message-----
From: Dan Kaminsky [mailto:dan at doxpara.com]
Sent: Wednesday, January 30, 2002 7:17
To: Lacoss-Arnold, Jason; 'Damien Miller'; Frank Cusack
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


Since normally it's impossible to access the account of a password-disabled
account, should default behavior on Solaris be to assume password-disabled
means access-disabled?
 
It seems to me that the rest of the Solaris tools assume "no password = no
access".  Perhaps we should as well, and provide a separate configuration
option to override to the useful but non-obvious pubkey-only mode.
 
Thoughts?
 
--Dan

----- Original Message ----- 
From: Lacoss-Arnold, Jason <mailto:Jason.Lacoss-Arnold at AGEDWARDS.com>  
To: 'Damien Miller' <mailto:djm at mindrot.org>  ; Frank Cusack
<mailto:fcusack at fcusack.com>  
Cc: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>  ;
Dost,  <mailto:Alexander.Dost at drkw.com> Alexander 
Sent: Wednesday, January 30, 2002 4:59 AM
Subject: RE: locked account accessable via pubkey auth


No, it's at best a really annoying "feature" but it feels more
like a bug.
Basically, it makes it a royal pain in the arse to disable an account when a
user leaves since all of the Solaris tools assume that passwd=*LK* means
that the account is disabled.  Hence, if you actually want to disable the
account you have to first use Sun's tool and additionally either change the
shell to /bin/false or similar, put the user in a group that's listed in
sshd_config's DenyGroups, go wipe out user keys and configs, or some other
kludge.  Kludging sucks.

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 


-----Original Message----- 
From: Damien Miller [ mailto:djm at mindrot.org <mailto:djm at
mindrot.org> ]
Sent: Tuesday, January 29, 2002 22:40 
To: Frank Cusack 
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander 
Subject: Re: locked account accessable via pubkey auth 


On Tue, 29 Jan 2002, Frank Cusack wrote: 
> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote: 
> > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote: 
> > > maybe this is a silly question ;-) But why is it possible to
login on
a 
> > > machine with a locked account (passwd -l ) via
pubkey-authentication
> > > (authorized_keys) ? 
> > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this
should not 
> > > happen. 
> > 
> > Check the list archives and you'll find others with the same
problem.
> > Noone has turned up a solution with Solaris 8/PAM yet. 
> 
> huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can 
> look into this, unfortunately not within a day or so. 
I don't think it is a bug even. Having accounts with locked passwords, but 
still accessible via pubkey auth is a very useful thing. 

-d 


_______________________________________________ 
openssh-unix-dev at mindrot.org mailing list 
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
<http://www.mindrot.org/mailman/listinfo/openssh-unix-dev>  



****************************************************************************
***********
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
****************************************************************************
***********




***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020130/54eb8e22/attachment.html

No.  ftp doesn't allow it.  The console doesn't allow it.  The r*
commands
would allow it, but we don't allow them for obvious reasons.  But we feel
that the tool we're using to rid ourselves of security holes shouldn't
replicate security holes.
 

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 

-----Original Message-----
From: Dan Kaminsky [mailto:dan at doxpara.com]
Sent: Wednesday, January 30, 2002 7:43
To: Lacoss-Arnold, Jason; 'Damien Miller'; Frank Cusack
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


Without SSH, is there *any* other way to access a password-locked account
than to su in from root?
 
If not, I don't see it as being valid to allow a pubkey "backdoor"
by
default.  It comes down to whether the platforms are equating "no password
no access".  Unless something else has access with no password, we
shouldn't
be allowing such.
 
Now, do we generally directly manage passwd/shadow files on Solaris, or do
we usually go through PAM?  Can PAM report an LK password state, so we could
check for it before allowing pubkey?
 
--dan
 
 
 

----- Original Message ----- 
From: Lacoss-Arnold, Jason <mailto:Jason.Lacoss-Arnold at AGEDWARDS.com>  
To: 'Dan Kaminsky' <mailto:dan at doxpara.com>  ; 'Damien
Miller'
<mailto:djm at mindrot.org>  ; Frank Cusack <mailto:fcusack at
fcusack.com>
Cc: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>  ;
Dost,  <mailto:Alexander.Dost at drkw.com> Alexander 
Sent: Wednesday, January 30, 2002 5:26 AM
Subject: RE: locked account accessable via pubkey auth

As an interesting side note, HP-UX used to also have this problem, but I
just tested on an 11.0 trusted HP-UX box and disabling my account in SAM did
actually disable it to ssh.  Unfortunately, we don't have any untrusted
systems, so I can't tell if it's a ramification of the HPs whole tcb
shananigans (their version of shadow files) or if all of HP is similarly
fixed.
 
Also, I'm pretty sure that this behavior in Solaris way predated version 8.
 

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 

-----Original Message-----
From: Dan Kaminsky [mailto:dan at doxpara.com]
Sent: Wednesday, January 30, 2002 7:17
To: Lacoss-Arnold, Jason; 'Damien Miller'; Frank Cusack
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


Since normally it's impossible to access the account of a password-disabled
account, should default behavior on Solaris be to assume password-disabled
means access-disabled?
 
It seems to me that the rest of the Solaris tools assume "no password = no
access".  Perhaps we should as well, and provide a separate configuration
option to override to the useful but non-obvious pubkey-only mode.
 
Thoughts?
 
--Dan

----- Original Message ----- 
From: Lacoss-Arnold, Jason <mailto:Jason.Lacoss-Arnold at AGEDWARDS.com>  
To: 'Damien Miller' <mailto:djm at mindrot.org>  ; Frank
<mailto:fcusack at fcusack.com> Cusack 
Cc: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>  ;
Dost, Alexander <mailto:Alexander.Dost at drkw.com>  
Sent: Wednesday, January 30, 2002 4:59 AM
Subject: RE: locked account accessable via pubkey auth


No, it's at best a really annoying "feature" but it feels more
like a bug.
Basically, it makes it a royal pain in the arse to disable an account when a
user leaves since all of the Solaris tools assume that passwd=*LK* means
that the account is disabled.  Hence, if you actually want to disable the
account you have to first use Sun's tool and additionally either change the
shell to /bin/false or similar, put the user in a group that's listed in
sshd_config's DenyGroups, go wipe out user keys and configs, or some other
kludge.  Kludging sucks.

Thanks, 
--Jason Lacoss-Arnold, Systems Technical Specialist 
Technical Services - Unix Arch. 
314-955-8501 


-----Original Message----- 
From: Damien Miller [ mailto:djm at mindrot.org <mailto:djm at
mindrot.org> ]
Sent: Tuesday, January 29, 2002 22:40 
To: Frank Cusack 
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander 
Subject: Re: locked account accessable via pubkey auth 


On Tue, 29 Jan 2002, Frank Cusack wrote: 
> On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote: 
> > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote: 
> > > maybe this is a silly question ;-) But why is it possible to
login on
a 
> > > machine with a locked account (passwd -l ) via
pubkey-authentication
> > > (authorized_keys) ? 
> > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this
should not 
> > > happen. 
> > 
> > Check the list archives and you'll find others with the same
problem.
> > Noone has turned up a solution with Solaris 8/PAM yet. 
> 
> huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can 
> look into this, unfortunately not within a day or so. 
I don't think it is a bug even. Having accounts with locked passwords, but 
still accessible via pubkey auth is a very useful thing. 

-d 


_______________________________________________ 
openssh-unix-dev at mindrot.org mailing list 
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
<http://www.mindrot.org/mailman/listinfo/openssh-unix-dev>  



****************************************************************************
***********
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
****************************************************************************
***********




****************************************************************************
***********
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
****************************************************************************
***********




***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020130/2d670479/attachment.html

>On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
>> maybe this is a silly question ;-) But why is it possible to login on a
>> machine with a locked account (passwd -l ) via pubkey-authentication
>> (authorized_keys) ?
>
>expired passwords are very different from expired accounts:
which are different to locked accounts.
>if a password is expired the password can longer be used.
correct.  The password can be changed either by the user at login,
r*/telnet/ssh/dtlogin in Solaris support this.  ftp doesn't and can't
due to protocol restrictions.
>if an account is expired the account can longer be used.
correct.  This in Solaris is an absoulte date in time.  The passwd
command is used to set this but we have no easy way to reactivate
the account other than chaning the date to something in the future.

OpenSSH honours this when PAM is used.
>or am I missing something?
A locked account in Solaris is one who's password begins *LK*, this
is what happens when running passwd -l <user>.  *NP* means that the
password wasn't accessible to that user - either passwd.adjunct is
in use for NIS or the NIS+ password table permissions are set so that
only the user can see their password (if it was the user doing the lookup
then it means that they haven't had their AUTH_DH keys registered with the
local keyserv (ie not done a keylogin or had pam_unix run)).

This works because *LK* can't possibly match the hashed password the
user types in when crypt(3c) is used.  But if like OpenSSH you don't
always use pam_authenticate then this doesn't stop the user getting
in if you only call pam_acct_mgmt.

This is fixed in Solaris 9 the pam_unix_account module in Solaris 9 explicitly
checks for the *LK* string so SSH logins with publickey to an account with
*LK* as the first 4 chars of the password field will be denied - which is the
correct behaviour.   

If you wish to disable password based login but do want to have publickey
based login then use NP which is no password (this is what is used for the
"system" accounts that should never have a login password set on
them).

An account can also be refused login because it has been idle too long,
this is based on the last login date in lastlog - this is pretty much
useless because it is on a per host basis rather than network wide.

--
Darren J Moffat

>On Solaris 8, passwd(8) says -l "Locks password entry for _name_".
It does
>not say that it locks the *account*.  So this would seem to be consistent
>with pubkey auth still being allowed.  Even so, I would tend to think it
>should lock the "account".  I don't know if this list is a
good place for
>it, but personally I would be interested in hearing arguments for either.
It is a bug and it has been fixed in Solaris 9, see my other email for
the details.

--
Darren J Moffat

On Wed, Jan 30, 2002 at 09:55:09AM -0800, Darren Moffat
wrote:
> This is fixed in Solaris 9 the pam_unix_account module in Solaris 9
explicitly
> checks for the *LK* string so SSH logins with publickey to an account with
> *LK* as the first 4 chars of the password field will be denied - which is
the
> correct behaviour.   
Please make sure the man page is updated. :-)  For Solaris 8 it says
the password is locked (not the account).

/fc

>On Wed, Jan 30, 2002 at 11:23:31AM -0500, Nicolas Williams wrote:
>> Leave things as they are please - do not add a check to see if the
>> password field in the shadow entry is *LK*, that would not be generally
>> useful (think: what if you're using only Kerberos for password
>> validation?).
The you should NOT be marking the account as being locked you should
give it an invalid password entry - eg NP.
>I have to agree with Nico here, don't try to second guess the system
>designers.  On Solaris (up to 8, anyway), it seems that 'passwd -l'
is
>NOT intended to lock the account.  Those that want other behaviour should
>take it up with the vendor (or switch vendors).
It has always been a bug.  However until PAM became a public API in
Solaris 2.6 it wasn't possible to augment the authentication so most
apps just did strcmp(crypt(getpass()), sp->sp_pwd) and with *LK* you
couldn't get a success.  

When PAM was introduced the difference between the account being locked
and password being something invalid be came more obvious,
pam_sm_uthenticate() in pam_unix(5) checks the password that the user
offers matches what is stored encrypted in the relevant nameservice.
pam_acct_mgmt() checks the account validity (password aging, expiry
etc).

Most of the time applications call pam_authenticate() first and with
the pam_unix(5) module you never get any further.  sshd, cron are the
obvious exceptions to that. cron was where we found this issue.

It is logged as bug# 4506972 in SunSolve.

As justification from existing documentation I offer:

pam_sm_acct_mgmt(3pam) says:

     The pam_sm_acct_mgmt() function determines  whether  or  not
     the  current  user's  account and password are valid.   This
     includes checking for password and account  expiration,  and
     valid  login  times.  The user in question is specified by a
     prior call to pam_start(), and is referenced by the  authen-
     tication handle, pamh, which is passed as the first argument
     to pam_sm_acct_mgmt(). The following flags may be set in the
     flags field:

     The pam_acct_mgmt() function is called to determine  if  the
     current user's account is valid.  It checks for password and
     account expiration, and verifies access hour restrictions.
     This function is typically called after the user  has  been
     authenticated with pam_authenticate(3PAM).


pam_unix(5) says:
 
Unix Account Management Module
     The UNIX account management component provides a function to
     perform account management, pam_sm_acct_mgmt(). The function
     retrieves the user's password entry from the  UNIX  password
     database  and  verifies that the user's account and password
     have not expired. The following options may be passed in  to
     the UNIX service module:

shadow(4) defines a valid password:
     password
           A 13-character encrypted password for the user, a lock
           string  to  indicate that the login is not accessible,
           or no string, which shows that there  is  no  password
           for the login.

All Solaris code used *LK* to mean locked.  NIS+ uses *NP* to mean
I'm not giving it to you.

Note that it doesn't actually say what the lock string is until
Solaris 9.


New in Solaris 9 is pam_unix_account(5) which says:

     pam_unix_account provides functionality to the  PAM  account
     management  stack. The function pam(3PAM) function retrieves
     password aging information from the  repositories  specified
     in  nsswitch.conf(4),  and  verifies that the user's account
     and password have not expired.

passwd(1)'s description of the -l flag does still say:
     -l    Locks password entry for name.


Note that it doesn't say it locks the password it says locks the
"password
entry", implying it disables access to the account.  I agree this could
be clearer - I'll see what I can do about getting it changed.

--
Darren J Moffat

HP-UX 11.00
from: man passwd
-l		Lock user account.

from: man getspent
getspent(3C)                                                   getspent(3C)
 
 NAME
      getspent, getspnam, setspent, endspent - access secure password
      entries, for trusted systems only.
 
 SYNOPSIS
      #include <shadow.h>
 
      struct spwd * getspent (void);
 
      struct spwd * getspnam (const char *name);
 
      void setspent (void);
 
      void endspent (void);
 
 DESCRIPTION
      The routines getspent() and getspnam() return a pointer to the next
      secured password entry. Each entry is a spwd structure, declared in
      the shadow.h header file with the following members:
 
           char  *sp_namp;  /* the user's login name */
           char  *sp_pwdp;  /* the encrypted password for the user */
           long  sp_lstchg; /* # of days from 1/1/70 when passwd was last
modified */
           long  sp_min;    /* min # of days allowed between password
changes */
           long  sp_max;    /* max # of days allowed between password
changes */
           long  sp_warn;   /* # of days before password expires and warning
issued*/
           long  sp_inact;  /* # of days between account inactive and
disabled */
           long  sp_expire; /* # of days from 1/1/70 when account is locked
*/
           unsigned long   sp_flag;/* currently unused */
 
      The getspent() routine returns a pointer to the first spwd structure
      when first called. Subsequent calls return pointers to successive spwd
      structures. Repeated calls to getspent() can be used to search all
      entries in the protected password database. The getspnam () routine
      searches password entries from beginning to end until a login name
      matching name is found, and returns a pointer to that entry.
 
      If the fields corresponding to sp_min, sp_max, sp_lstchg, sp_warn,
      sp_inact, sp_expire, or sp_flag are not specified in the entry, they
      default to -1. If an end-of-file or an error is encountered in reading
      or a format error is detected, these functions return a null pointer
      and; for an error, errno is set to EINVAL.
 
      The setspent() routine is used to reset access to the secured password
      entries. After setspent() is called, the subsequent call to getspent()
      returns the first secured password entry. This mechanism is used to
      allow repeated searches of the secured password entries. The
      endspent() routine is used to indicate that processing of secured
      password entries is complete.
 
 Hewlett-Packard Company            - 1 -  HP-UX Release 11.00: October 1997
 
 getspent(3C)                                                   getspent(3C)
 
      getspent() is only supported on trusted systems.
 
      The secured password facility is implemented without the use of the
      /etc/shadow file.  getspent(), getspnam(), setspent(), and endspent()
      read from the trusted system's protected password database
      (/tcb/files/auth/*/*) and not /etc/shadow.  The file /etc/shadow is
      not used in any way by the HP-UX login facility.
 
      These routines return a null pointer and sets ERRNO to ENOENT if the
      system has not been converted to trusted system.  In all other cases,
      the return value is set similarly to getprpwent().  See getprpwent(3)
      for more information.
 
      Programs using these routines must be compiled with -lsec.
 
 FILES
      /etc/passwd                   System Password file.
      /tcb/files/auth/*/*           Protected password database, for trusted
                                    systems.
 
 SEE ALSO
      getpwent(3C), getprpwent(3), passwd(4).
 
 DIAGNOSTICS
      getspent(), getspnam(), and fgetspent() return a null pointer on EOF
      or error.
 
 STANDARDS CONFORMANCE
      getspent : SVID3

Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501


-----Original Message-----
From: Frank Cusack [mailto:fcusack at fcusack.com]
Sent: Wednesday, January 30, 2002 18:01
To: Damien Miller
Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
Subject: Re: locked account accessable via pubkey auth


On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller
wrote:
> On Tue, 29 Jan 2002, Frank Cusack wrote:
> 
> > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote:
> > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote:
> > > > maybe this is a silly question ;-) But why is it possible to
login
on a
> > > > machine with a locked account (passwd -l ) via
pubkey-authentication
> > > > (authorized_keys) ?
> > 
> > huh..  This is definitely a bug; probably in the Solaris PAM libs.  I
can
> > look into this, unfortunately not within a day or so.
> 
> I don't think it is a bug even. Having accounts with locked passwords,
but
> still accessible via pubkey auth is a very useful thing.
I agree, that is useful, but whether or not it's a bug depends on the
meaning
of 'passwd -l'.  SUSv2 does not define the passwd command, so I guess
this
is implementation-dependent.

On Solaris 8, passwd(8) says -l "Locks password entry for _name_".  It
does
not say that it locks the *account*.  So this would seem to be consistent
with pubkey auth still being allowed.  Even so, I would tend to think it
should lock the "account".  I don't know if this list is a good
place for
it, but personally I would be interested in hearing arguments for either.

Can someone report on what the HP-UX man page says?  I'd also be interested
to see the man page for HP-UX getspent().  (Another email in this thread
says HP-UX prevents pubkey auth after 'passwd -l'.)

/fc

_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020131/cf61d62b/attachment.html

>On Wed, Jan 30, 2002 at 05:02:37PM -0800, Darren Moffat wrote:
>> New in Solaris 9 is pam_unix_account(5) which says:
>> 
>>      pam_unix_account provides functionality to the  PAM  account
>>      management  stack. The function pam(3PAM) function retrieves
>>      password aging information from the  repositories  specified
>>      in  nsswitch.conf(4),  and  verifies that the user's account
>>      and password have not expired.
>
>hmm... This seems broken.  If I want a certain service to check pam_unix,
>I list it in pam.conf.  Instead, I'm now supposed to call
pam_unix_account()
>specifically?  Is pam_unix_account() somehow different than the normal
>pam account mgmt w/ pam_unix in pam.conf?  The intent of this (AFAICT) is
>so that an app can always check against pam_unix, regardless of what's
in
>pam.conf -- broken.  Sorry, this is getting OT.
You completely missunderstood what pam_unix_account(5) is. The 5 is the
hint - it is a module not a function.  We have made no changes to
the API for applications or modules.

We took the big gob of pam_unix that we had from 2.6 though 8 and 
split it into smaller chunks to be more consistant with what is in the
Open Group spec and to make it easier for people to just replace the
password validation routines.

The new default pam.conf is attached.
>> passwd(1)'s description of the -l flag does still say:
>>      -l    Locks password entry for name.
>> 
>> 
>> Note that it doesn't say it locks the password it says locks the
"password
>> entry", implying it disables access to the account.  I agree this
could
>> be clearer - I'll see what I can do about getting it changed.
>
>Do you know if a patch will be available for Solaris 8?
I'll look into it.

--
Darren J Moffat
-------------- next part --------------
#
#ident	"@(#)pam.conf	1.20	02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login	auth requisite		pam_authtok_get.so.1
login	auth required		pam_dhkeys.so.1
login	auth required		pam_unix_auth.so.1
login	auth required		pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth required		pam_dhkeys.so.1
rlogin	auth required		pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other	auth requisite		pam_authtok_get.so.1
other	auth required		pam_dhkeys.so.1
other	auth required		pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd	auth required		pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_projects.so.1
cron	account required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other	account requisite	pam_roles.so.1
other	account required	pam_projects.so.1
other	account required	pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session required	pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin		auth optional		pam_krb5.so.1 try_first_pass
#login		auth optional		pam_krb5.so.1 try_first_pass
#other		auth optional		pam_krb5.so.1 try_first_pass
#cron		account optional 	pam_krb5.so.1
#other		account optional 	pam_krb5.so.1
#other		session optional 	pam_krb5.so.1
#other		password optional 	pam_krb5.so.1 try_first_pass

On Thu, Jan 31, 2002 at 09:11:35AM -0800, Darren Moffat
wrote:
> You completely missunderstood what pam_unix_account(5) is. The 5 is the
> hint - it is a module not a function.  We have made no changes to
> the API for applications or modules.
> 
> We took the big gob of pam_unix that we had from 2.6 though 8 and 
> split it into smaller chunks to be more consistant with what is in the
> Open Group spec and to make it easier for people to just replace the
> password validation routines.
> 
> The new default pam.conf is attached.
> 
> --
> Darren J Moffat
Content-Description: pam.conf
> login	auth requisite		pam_authtok_get.so.1
> login	auth required		pam_dhkeys.so.1
> login	auth required		pam_unix_auth.so.1
> login	auth required		pam_dial_auth.so.1
Cool. Very cool. I have wanted this sort of thing...

Now, it would be cooler still if you could specify which Unix account
backend to use (files, nis, nisplus, ldap).

And with respect to pam_krb5, is your current approach still to make it
a sort of convenience kinit-in-PAM? Or can Solaris 9 really use Kerberos
V for user password authentication?

Nico
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Offtopic for this list but I believe there are people who hang out here
that would be interested in the answer.
>And with respect to pam_krb5, is your current approach still to make it
>a sort of convenience kinit-in-PAM? Or can Solaris 9 really use Kerberos
>V for user password authentication?
It is really authentication.  Fixed under bug# 4516495 for Solaris 9.

--
Darren J Moffat

On Thu, 31 Jan 2002, Darren Moffat wrote:
> We took the big gob of pam_unix that we had from 2.6 though 8 and
> split it into smaller chunks to be more consistant with what is in the
> Open Group spec and to make it easier for people to just replace the
> password validation routines.
>
> The new default pam.conf is attached.
What version of Solaris will this pam.conf and the associated libraries be
available in?

Thanks,

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

>On Thu, 31 Jan 2002, Darren Moffat wrote:
>
>> We took the big gob of pam_unix that we had from 2.6 though 8 and
>> split it into smaller chunks to be more consistant with what is in the
>> Open Group spec and to make it easier for people to just replace the
>> password validation routines.
>>
>> The new default pam.conf is attached.
>
>What version of Solaris will this pam.conf and the associated libraries be
>available in?
Solaris 9.

--
Darren J Moffat