[Bug 296841] Re: root account has ! as default password

[undefined]

I respectfully disagree with Jamie Strandboge regarding his statement:
"ssh public key logins are not disabled by the use of '!'."

OpenSSH, when *not* relying on PAM for account checking (ie "UsePAM
no"), will itself consider an account "locked" if the user's password
field in the shadow file is prefixed with "!".  See
http://anonscm.debian.org/cgit/pkg-
ssh/openssh.git/tree/auth.c?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n139
and http://anonscm.debian.org/cgit/pkg-
ssh/openssh.git/tree/configure.ac?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n770
.

You can clearly see in your example that you were using PAM (though the
log file explicitly shows that sshd was using PAM for session
processing, that implicitly reveals that sshd was using PAM also for
account processing as both are used when "UsePAM yes").  When sshd uses
PAM for account processing, PAM does not regard the exclamation mark or
asterisks (ie "!" or "*") as locking the account and PAM does not
prevent the SSH session from proceeding as OpenSSH does when performing
accounting checking itself.

I found this bug report when searching the internet for 'ssh "User root
not allowed because account is locked"' and through the tip that "!" and
"*" are sometimes treatly differently in regard to OpenSSH, I was able
to figure out the difference in detail.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vm-builder in Ubuntu.
https://bugs.launchpad.net/bugs/296841

Title:
  root account has ! as default password

To manage notifications about this bug go to:
https://bugs.launchpad.net/vmbuilder/+bug/296841/+subscriptions