[Bug 1180553] [NEW] adduser --disabled-login still allows for SSH RSA keys login
Rodney Beede
1180553 at bugs.launchpad.net
Wed May 15 21:01:05 UTC 2013
Public bug reported:
adduser --disabled-login --gecos "" --shell /bin/bash testuser
I am not prompted for a password as expect, but if I create a .ssh/authorized_keys file (say it was in my /etc/skel/) in the home directory of the new user I can login as that user using SSH keys. The --disabled-password is meant for that.
I should not be able to login at all.
Ubuntu 13.04 64-bit Server edition.
The fix would be to also set the account to be immediately expired in the same manner as doing "usermod --expiredate 1" does in addition to marking the password disabled.
If this fix cannot be done then the man page for adduser should be
updated to warn about this.
** Affects: adduser (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1180553
Title:
adduser --disabled-login still allows for SSH RSA keys login
Status in “adduser” package in Ubuntu:
New
Bug description:
adduser --disabled-login --gecos "" --shell /bin/bash testuser
I am not prompted for a password as expect, but if I create a .ssh/authorized_keys file (say it was in my /etc/skel/) in the home directory of the new user I can login as that user using SSH keys. The --disabled-password is meant for that.
I should not be able to login at all.
Ubuntu 13.04 64-bit Server edition.
The fix would be to also set the account to be immediately expired in the same manner as doing "usermod --expiredate 1" does in addition to marking the password disabled.
If this fix cannot be done then the man page for adduser should be
updated to warn about this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1180553/+subscriptions
More information about the foundations-bugs
mailing list