Public bug reported:
This bug probably belongs with the passwd package, which I cannot find
in the bug submission package list.
"passwd -l username" used to disable passwords for an account yet allow
ssh connections to go through. This behavior, which had existed in both
Debian and Ubuntu since inception (in other words, for at least a
decade), no longer exists in Hardy Heron. The old behavior had the
benefit of allowing log-in-able accounts without the risk of a
dictionary attackable password. Now, at least in Hardy Heron, "passwd
-l" really does fully disable the account, even for accounts with ssh
keys, by setting the expiry field to 1.
The result of this change is that any admins expecting the old "passwd
-l" will render logins (ssh, console, etc) impossible on any account
and server for which passwd -l is run.
Any of the following changes should be able to restore the previously available
functionality:
1) Restore previous behavior.
2. Patch "passwd -l" to warn of changed behavior. Add new option to
passwd that sets user's password to an impossible one without setting
expiry.
3) Add new "vishadow" command (to perform appropriate locking and such)
which would behave similarly to vipw, for disabling passwords by hand.
** Affects: shadow (Ubuntu)
Importance: Undecided
Status: New
--
passwd -l now locks out ssh keys too
https://bugs.launchpad.net/bugs/185767
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
