[Bug 1180553] Re: adduser --disabled-login still allows for SSH RSA keys login
Rodney Beede
1180553 at bugs.launchpad.net
Wed May 15 21:01:42 UTC 2013
Corrected package
** Package changed: shadow (Ubuntu) => adduser (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/1180553
Title:
adduser --disabled-login still allows for SSH RSA keys login
Status in “adduser” package in Ubuntu:
New
Bug description:
adduser --disabled-login --gecos "" --shell /bin/bash testuser
I am not prompted for a password as expect, but if I create a .ssh/authorized_keys file (say it was in my /etc/skel/) in the home directory of the new user I can login as that user using SSH keys. The --disabled-password is meant for that.
I should not be able to login at all.
Ubuntu 13.04 64-bit Server edition.
The fix would be to also set the account to be immediately expired in the same manner as doing "usermod --expiredate 1" does in addition to marking the password disabled.
If this fix cannot be done then the man page for adduser should be
updated to warn about this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1180553/+subscriptions
More information about the foundations-bugs
mailing list