passwd -l now locks out ssh keys too

Bug #185767 reported by James Blackwell
2
Affects Status Importance Assigned to Milestone
shadow (Ubuntu)
New
Undecided
Unassigned

Bug Description

This bug probably belongs with the passwd package, which I cannot find in the bug submission package list.

"passwd -l username" used to disable passwords for an account yet allow ssh connections to go through. This behavior, which had existed in both Debian and Ubuntu since inception (in other words, for at least a decade), no longer exists in Hardy Heron. The old behavior had the benefit of allowing log-in-able accounts without the risk of a dictionary attackable password. Now, at least in Hardy Heron, "passwd -l" really does fully disable the account, even for accounts with ssh keys, by setting the expiry field to 1.

The result of this change is that any admins expecting the old "passwd -l" will render logins (ssh, console, etc) impossible on any account and server for which passwd -l is run.

Any of the following changes should be able to restore the previously available functionality:

1) Restore previous behavior.

2. Patch "passwd -l" to warn of changed behavior. Add new option to passwd that sets user's password to an impossible one without setting expiry.

3) Add new "vishadow" command (to perform appropriate locking and such) which would behave similarly to vipw, for disabling passwords by hand.

Revision history for this message
x (xk2c-deactivatedaccount) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.