Locking accounts on FreeBSD
Posted by Ceri Davies Tue, 20 Sep 2005 21:00:00 GMT
An old discussion that we had in PR 71147 cropped up again on cvs-src after keramida made a commit to passwd.5 regarding the use of * in master.passwd to “lock” accounts.
I pointed out that Solaris has possibly the best model for this, with it’s use of *NP* and *LK* for various degrees of “locked”:
Solaris uses the string *NP* to indicate that a user has no password - password authentication is therefore disabled for that user, disallowing su, password-based ssh access, etc. Cron jobs, key-based auth, etc. continue to work. It also supports *LK* which indicates that an account is locked: in this case, cron jobs for the user will not be run and ssh access is denied altogether.
The ssh bit works because OpenSSH knows that it should be looking for the string *LK* and denying access if it is there. Search for LOCKED_PASSWD_STRING in src/crypto/openssh/auth.c.
See http://lists.freebsd.org/pipermail/cvs-src/2005-September/thread.html#52572 for the full thread.
I asked again why OpenSSH doesn’t look for *LOCKED* on FreeBSD, and des has kindly offered to look into adding it.
In the spirit of having real locked accounts, I’ve knocked up a patch for cron(8) that checks for the string ”*LOCKED*” in the pw_passwd field of the struct pw returned by getpwnam(3) and am looking for testers. I haven’t done a shred of testing myself due to a lack of machines running anything recent but if you feel brave, please check it out. The latest version will always be at http://people.FreeBSD.org/~ceri/cron.diff.
EMININTIME Want to test a libkse && sparc64? :) -- Tom Rhodes
ETHEWHATNOW? I don't even see that defined anywhere... I can test stuff on sparc64 for you, yep.