From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7576 invoked by uid 1002); 31 Oct 2003 21:27:33 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 4023 invoked from network); 31 Oct 2003 21:27:32 -0000 Date: Fri, 31 Oct 2003 16:27:31 -0500 From: Kurt Lieber To: gentoo-dev@gentoo.org Message-ID: <20031031212727.GZ2395@mail.lieber.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PjLo8P/CG6vpADRe" Content-Disposition: inline X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.4i Subject: [gentoo-dev] locking user accounts doesn't really lock them. X-Archives-Salt: 4d16bc43-f7e1-4f08-b605-cf724bb4b992 X-Archives-Hash: 319a7f323e02545a9211812d2823c32d --PjLo8P/CG6vpADRe Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Right now, at least on Gentoo, if you lock a user's account with passwd -l , that user is still able to access their account if they have ssh keys set up. This is, in my mind, a fairly big security hole. Googling, I found an issue related to the Solaris implementation of PAM[1] that was fixed in a later version. Does anyone know if there is a way to fix this in Gentoo and/or Linux? (I don't have access to any non-Gentoo linux boxen atm, so I can't say for sure if this issue exists on other distros) A tweak to PAM, perhaps? --kurt --PjLo8P/CG6vpADRe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/otO/JPpRNiftIEYRAukrAKCMivtjygcESEl42InAyOOovza09QCfSJ9i zZUbVDeLClAlM9stqZ4jfDk= =QEGr -----END PGP SIGNATURE----- --PjLo8P/CG6vpADRe--