# new option UsePAMCheckLocks to enforce checking for locked accounts while # UsePAM is used # bnc#708678, FATE#312033 Index: b/auth.c =================================================================== --- a/auth.c +++ b/auth.c @@ -109,7 +109,7 @@ allowed_user(struct passwd * pw) return 0; #ifdef USE_SHADOW - if (!options.use_pam) + if (!options.use_pam || options.use_pam_check_locks) spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) @@ -129,7 +129,7 @@ allowed_user(struct passwd * pw) #endif /* check for locked account */ - if (!options.use_pam && passwd && *passwd) { + if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { int locked = 0; #ifdef LOCKED_PASSWD_STRING Index: b/servconf.c =================================================================== --- a/servconf.c +++ b/servconf.c @@ -74,6 +74,7 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; @@ -187,6 +188,8 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) @@ -392,7 +395,7 @@ fill_default_server_options(ServerOption typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, @@ -442,8 +445,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1004,6 +1009,9 @@ process_server_config_line(ServerOptions case sUsePAM: intptr = &options->use_pam; goto parse_flag; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; /* Standard Options */ case sBadOption: Index: b/servconf.h =================================================================== --- a/servconf.h +++ b/servconf.h @@ -173,6 +173,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; Index: b/sshd_config.0 =================================================================== --- a/sshd_config.0 +++ b/sshd_config.0 @@ -950,6 +950,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^]. + UsePAMCheckLocks + When set to ``yes'', the checks whether the account has been + locked with `passwd -l' are performed even when PAM authentication + is enabled via UsePAM. This is to ensure that it is not possible + to log in with e.g. a public key (in such a case PAM is used only + to set up the session and some PAM modules will not check whether + the account is locked in this scenario). The default is ``no''. + UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. Index: b/sshd_config.5 =================================================================== --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1574,6 +1574,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Dq no . +.It Cm UsePAMCheckLocks +When set to +.Dq yes +, the checks whether the account has been locked with +.Pa passwd -l +are performed even when PAM authentication is enabled via +.Cm UsePAM . +This is to ensure that it is not possible to log in with e.g. a +public key (in such a case PAM is used only to set up the session and some PAM +modules will not check whether the account is locked in this scenario). The +default is +.Dq no . .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8