On Wed, 11 May 2005 01:40:33 +0300, Shaul Karl <[EMAIL PROTECTED]> wrote: >The way I understand it, the effect of ! or * is identical.
No. >Alternatively, the difference is set by the configuration of pam, which, >I believe, is out of adduser scope. This match my experience that login >through SSH RSA key is possible even if a '!' is used. > In any case, am I right that adduser's --disabled-login and >--disabled-password looks to be the same? Once again, it is "UsePam yes" in the default /etc/ssh/sshd_config which breaks things. If that option is switched off, an account created with adduser --disabled-login is impossible to ssh into (log entry "sshd[14704]: User testuser not allowed because account is locked") while an account created with adduser --disabled-password can ssh in fine via authorized_keys. "UsePam yes" is generally a _big_ surprise for the local admin since it allows passwords to be used even if "UsePasswordAuthentification no" is set in sshd_config. Looks like we have just found the second security option which is broken by "UsePam yes". Bad, very bad. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
