[Bug 1261861] [NEW] man page for sshd contains error about NP and locked accounts
Rodney Beede
1261861 at bugs.launchpad.net
Tue Dec 17 18:09:05 UTC 2013
Public bug reported:
man sshd
This paragraph:
Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is
listed in DenyGroups . The definition of a locked account is system dependant. Some platforms have their own account database (eg AIX) and some modify the passwd field ( ‘*LK*’
on Solaris and UnixWare, ‘*’ on HP-UX, containing ‘Nologin’ on Tru64, a leading ‘*LOCKED*’ on FreeBSD and a leading ‘!’ on most Linuxes). If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field should be set to something other than these values (eg ‘NP’ or ‘*NP*’ ).
The recommended use of NP or *NP* causes a conflict as "If the encrypted
password in /etc/passwd is "*NP*" (without the quotes), the shadow
record should be obtained from an NIS+ server."
http://man7.org/linux/man-pages/man5/passwd.5.html
The upstream OpenSSH package doesn't have this paragraph in the man page so it was something added by Debian/Ubuntu.
How an account is locked and what OpenSSH checks for locked also depends on whether UsePAM is yes or no. When yes an account can still be logged into even when the password entry field has a leading "!" When no then OpenSSH's behavior is to treat the account as inaccessible if there is a leading "!" in the password.
This paragraph should be updated to recommend something else. Perhaps
"no password login allowed" as the recommended value.
It'd be nice to have this paragraph submitted upstream as well.
Reference also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=219377
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Tags: manpage
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1261861
Title:
man page for sshd contains error about NP and locked accounts
Status in “openssh” package in Ubuntu:
New
Bug description:
man sshd
This paragraph:
Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is
listed in DenyGroups . The definition of a locked account is system dependant. Some platforms have their own account database (eg AIX) and some modify the passwd field ( ‘*LK*’
on Solaris and UnixWare, ‘*’ on HP-UX, containing ‘Nologin’ on Tru64, a leading ‘*LOCKED*’ on FreeBSD and a leading ‘!’ on most Linuxes). If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field should be set to something other than these values (eg ‘NP’ or ‘*NP*’ ).
The recommended use of NP or *NP* causes a conflict as "If the
encrypted password in /etc/passwd is "*NP*" (without the quotes), the
shadow record should be obtained from an NIS+ server."
http://man7.org/linux/man-pages/man5/passwd.5.html
The upstream OpenSSH package doesn't have this paragraph in the man page so it was something added by Debian/Ubuntu.
How an account is locked and what OpenSSH checks for locked also depends on whether UsePAM is yes or no. When yes an account can still be logged into even when the password entry field has a leading "!" When no then OpenSSH's behavior is to treat the account as inaccessible if there is a leading "!" in the password.
This paragraph should be updated to recommend something else. Perhaps
"no password login allowed" as the recommended value.
It'd be nice to have this paragraph submitted upstream as well.
Reference also: http://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=219377
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1261861/+subscriptions
More information about the foundations-bugs
mailing list