Bjorn Steensrud wrote:
On a HP-UX 11 system we have an account that was created by a script, with
a locked account - i.e. a "*" in /etc/password
to prevent logging in to this account with password authentication. Could
it still be possible to log in with ssh using pubkey authentication?
We don't want to set the global policy to pubkey only.
Depends on which ssh implementation you're using and you didn't specify.
OpenSSH, for example, checks specifically for whatever the underlying OS
uses to indicate a locked account. On HP-UX, that's a string of "*" in
the password field. That means that if you use something else in the
password field that doesn't constitute a valid encrypted password then
it won't be considered locked, but no password authentication will work.
Solaris has a specific string "NP" which is useful for this. I don't
know if HP-UX has something equivalent, but if it doesn't then "NP" or
"**" should be OK as long as the native utilities don't do anything silly.
The alternative is to just set the account's password to something
random and then forget what it is :-)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
