# HG changeset patch # Parent 089f4fba0112d410a1bfa74398941f076681d446 new option UsePAMCheckLocks to enforce checking for locked accounts while UsePAM is used bnc#708678, FATE#312033 Index: openssh-8.8p1/auth.c =================================================================== --- openssh-8.8p1.orig/auth.c +++ openssh-8.8p1/auth.c @@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas if (!pw || !pw->pw_name) return 0; - if (!options.use_pam && platform_locked_account(pw)) { + if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) { logit("User %.100s not allowed because account is locked", pw->pw_name); return 0; #@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas # #endif # # /* check for locked account */ #- if (!options.use_pam && passwd && *passwd) { #+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { # int locked = 0; # # #ifdef LOCKED_PASSWD_STRING Index: openssh-8.8p1/servconf.c =================================================================== --- openssh-8.8p1.orig/servconf.c +++ openssh-8.8p1/servconf.c @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; options->pam_service_name = NULL; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption options->use_pam = 0; if (options->pam_service_name == NULL) options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; /* Standard Options */ if (options->num_host_key_files == 0) { @@ -485,7 +488,7 @@ fill_default_server_options(ServerOption typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, sPAMServiceName, + sUsePAM, sPAMServiceName, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, @@ -535,9 +538,11 @@ static struct { #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, { "pamservicename", sPAMServiceName, SSHCFG_ALL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, { "pamservicename", sUnsupported, SSHCFG_ALL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO if (*activep && *charptr == NULL) *charptr = xstrdup(arg); break; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; /* Standard Options */ case sBadOption: Index: openssh-8.8p1/servconf.h =================================================================== --- openssh-8.8p1.orig/servconf.h +++ openssh-8.8p1/servconf.h @@ -200,6 +200,7 @@ typedef struct { int use_pam; /* Enable auth via PAM */ char *pam_service_name; + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; Index: openssh-8.8p1/sshd_config.0 =================================================================== --- openssh-8.8p1.orig/sshd_config.0 +++ openssh-8.8p1/sshd_config.0 @@ -1074,6 +1074,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is no. + UsePAMCheckLocks + When set to ``yes'', the checks whether the account has been + locked with `passwd -l' are performed even when PAM authentication + is enabled via UsePAM. This is to ensure that it is not possible + to log in with e.g. a public key (in such a case PAM is used only + to set up the session and some PAM modules will not check whether + the account is locked in this scenario). The default is ``no''. + VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default Index: openssh-8.8p1/sshd_config.5 =================================================================== --- openssh-8.8p1.orig/sshd_config.5 +++ openssh-8.8p1/sshd_config.5 @@ -1775,6 +1775,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Cm no . +.It Cm UsePAMCheckLocks +When set to +.Dq yes +, the checks whether the account has been locked with +.Pa passwd -l +are performed even when PAM authentication is enabled via +.Cm UsePAM . +This is to ensure that it is not possible to log in with e.g. a +public key (in such a case PAM is used only to set up the session and some PAM +modules will not check whether the account is locked in this scenario). The +default is +.Dq no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection.