man page for sshd contains error about NP and locked accounts

Bug #1261861 reported by Rodney Beede on 2013-12-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)

Bug Description

man sshd

This paragraph:

     Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is
     listed in DenyGroups . The definition of a locked account is system dependant. Some platforms have their own account database (eg AIX) and some modify the passwd field ( ‘*LK*’
     on Solaris and UnixWare, ‘*’ on HP-UX, containing ‘Nologin’ on Tru64, a leading ‘*LOCKED*’ on FreeBSD and a leading ‘!’ on most Linuxes). If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field should be set to something other than these values (eg ‘NP’ or ‘*NP*’ ).

The recommended use of NP or *NP* causes a conflict as "If the encrypted password in /etc/passwd is "*NP*" (without the quotes), the shadow record should be obtained from an NIS+ server."

The upstream OpenSSH package doesn't have this paragraph in the man page so it was something added by Debian/Ubuntu.

How an account is locked and what OpenSSH checks for locked also depends on whether UsePAM is yes or no. When yes an account can still be logged into even when the password entry field has a leading "!" When no then OpenSSH's behavior is to treat the account as inaccessible if there is a leading "!" in the password.

This paragraph should be updated to recommend something else. Perhaps "no password login allowed" as the recommended value.

It'd be nice to have this paragraph submitted upstream as well.

Reference also:

Changed in openssh (Ubuntu):
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers