[Bug 1261861] [NEW] man page for sshd contains error about NP and locked accounts

Rodney Beede Tue, 17 Dec 2013 10:24:03 -0800

Public bug reported:

man sshd


This paragraph:

     Regardless of the authentication type, the account is checked to ensure 
that it is accessible.  An account is not accessible if it is locked, listed in 
DenyUsers or its group is
     listed in DenyGroups .  The definition of a locked account is system 
dependant. Some platforms have their own account database (eg AIX) and some 
modify the passwd field ( ‘*LK*’
     on Solaris and UnixWare, ‘*’ on HP-UX, containing ‘Nologin’ on Tru64, a 
leading ‘*LOCKED*’ on FreeBSD and a leading ‘!’ on most Linuxes).  If there is 
a requirement to disable password authentication for the account while allowing 
still public-key, then the passwd field should be set to something other than 
these values (eg ‘NP’ or ‘*NP*’ ).


The recommended use of NP or *NP* causes a conflict as "If the encrypted
password in /etc/passwd is "*NP*" (without the quotes), the shadow
record should be obtained from an NIS+ server."

http://man7.org/linux/man-pages/man5/passwd.5.html


The upstream OpenSSH package doesn't have this paragraph in the man page so it 
was something added by Debian/Ubuntu.


How an account is locked and what OpenSSH checks for locked also depends on 
whether UsePAM is yes or no.  When yes an account can still be logged into even 
when the password entry field has a leading "!"  When no then OpenSSH's 
behavior is to treat the account as inaccessible if there is a leading "!" in 
the password.


This paragraph should be updated to recommend something else.  Perhaps
"no password login allowed" as the recommended value.

It'd be nice to have this paragraph submitted upstream as well.


Reference also:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=219377

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: manpage

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1261861

Title:
  man page for sshd contains error about NP and locked accounts

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1261861/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1261861] [NEW] man page for sshd contains error about NP and locked accounts

Reply via email to