diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2003-08-25 03:51:19 +0200 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2003-08-25 03:51:19 +0200 |
| commit | e41bba584737f028579961ddf6669b6a768e47e7 (patch) | |
| tree | 65b6dba443b02b4ebfe6704162685e1f712643b4 /sshd.8 | |
| parent | - (bal) redo how we handle 'mysignal()'. Move it to (diff) | |
| download | openssh-e41bba584737f028579961ddf6669b6a768e47e7.tar.xz openssh-e41bba584737f028579961ddf6669b6a768e47e7.zip | |
- (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny
any access to locked accounts. ok djm@
Diffstat (limited to 'sshd.8')
| -rw-r--r-- | sshd.8 | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -114,6 +114,29 @@ authentication combined with RSA host authentication, RSA challenge-response authentication, or password based authentication. .Pp +Regardless of the authentication type, the account is checked to +ensure that it is accessible. An account is not accessible if it is +locked, listed in +.Cm DenyUsers +or its group is listed in +.Cm DenyGroups +\&. The definition of a locked account is system dependant. Some platforms +have their own account database (eg AIX) and some modify the passwd field ( +.Ql \&*LK\&* +on Solaris, +.Ql \&* +on HP-UX, containing +.Ql Nologin +on Tru64 and a leading +.Ql \&!! +on Linux). If there is a requirement to disable password authentication +for the account while allowing still public-key, then the passwd field +should be set to something other than these values (eg +.Ql NP +or +.Ql \&*NP\&* +). +.Pp Rhosts authentication is normally disabled because it is fundamentally insecure, but can be enabled in the server configuration file if desired. |