# HG changeset patch # Parent 089f4fba0112d410a1bfa74398941f076681d446 new option UsePAMCheckLocks to enforce checking for locked accounts while UsePAM is used bnc#708678, FATE#312033 Index: openssh-8.8p1/auth.c =================================================================== --- openssh-8.8p1.orig/auth.c +++ openssh-8.8p1/auth.c @@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas if (!pw || !pw->pw_name) return 0; - if (!options.use_pam && platform_locked_account(pw)) { + if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) { logit("User %.100s not allowed because account is locked", pw->pw_name); return 0; #@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas # #endif # # /* check for locked account */ #- if (!options.use_pam && passwd && *passwd) { #+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { # int locked = 0; # # #ifdef LOCKED_PASSWD_STRING Index: openssh-8.8p1/servconf.c =================================================================== --- openssh-8.8p1.orig/servconf.c +++ openssh-8.8p1/servconf.c @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; /* Standard Options */ if (options->num_host_key_files == 0) { @@ -485,7 +488,7 @@ fill_default_server_options(ServerOption typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, @@ -535,8 +538,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO case sUsePAM: intptr = &options->use_pam; goto parse_flag; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; /* Standard Options */ case sBadOption: Index: openssh-8.8p1/servconf.h =================================================================== --- openssh-8.8p1.orig/servconf.h +++ openssh-8.8p1/servconf.h @@ -200,6 +200,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; Index: openssh-8.8p1/sshd_config.0 =================================================================== --- openssh-8.8p1.orig/sshd_config.0 +++ openssh-8.8p1/sshd_config.0 @@ -1074,6 +1074,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is no. + UsePAMCheckLocks + When set to ``yes'', the checks whether the account has been + locked with `passwd -l' are performed even when PAM authentication + is enabled via UsePAM. This is to ensure that it is not possible + to log in with e.g. a public key (in such a case PAM is used only + to set up the session and some PAM modules will not check whether + the account is locked in this scenario). The default is ``no''. + VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default Index: openssh-8.8p1/sshd_config.5 =================================================================== --- openssh-8.8p1.orig/sshd_config.5 +++ openssh-8.8p1/sshd_config.5 @@ -1775,6 +1775,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Cm no . +.It Cm UsePAMCheckLocks +When set to +.Dq yes +, the checks whether the account has been locked with +.Pa passwd -l +are performed even when PAM authentication is enabled via +.Cm UsePAM . +This is to ensure that it is not possible to log in with e.g. a +public key (in such a case PAM is used only to set up the session and some PAM +modules will not check whether the account is locked in this scenario). The +default is +.Dq no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection.