bugzilla-daemon at mindrot.org
2002-Nov-24 03:23 UTC
[Bug 442] New: sshd allows login via public-key when account locked
http://bugzilla.mindrot.org/show_bug.cgi?id=442
Summary: sshd allows login via public-key when account locked
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: dtucker at zip.com.au
Observed on Redhat and Solaris.
When openssh is configured without PAM, an account that is locked (via passwd
-l) can still be logged into via public-key authentication.
Although the password field is modified (to "*LK*" on Solaris or with
a leading
"!" on Redhat), allowed_user() does not test for those so if password
authentication isn't used, the login still succeeds.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- [Bug 442] sshd allows login via public-key when account locked
- [Bug 442] sshd allows login via public-key when account locked
- [Bug 442] sshd allows login via public-key when account locked
- [Bug 442] sshd allows login via public-key when account locked
- Test for locked account in auth.c (bug #442).
