I respectfully disagree with Jamie Strandboge regarding his statement: "ssh public key logins are not disabled by the use of '!'."
OpenSSH, when *not* relying on PAM for account checking (ie "UsePAM no"), will itself consider an account "locked" if the user's password field in the shadow file is prefixed with "!". See http://anonscm.debian.org/cgit/pkg- ssh/openssh.git/tree/auth.c?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n139 and http://anonscm.debian.org/cgit/pkg- ssh/openssh.git/tree/configure.ac?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n770 . You can clearly see in your example that you were using PAM (though the log file explicitly shows that sshd was using PAM for session processing, that implicitly reveals that sshd was using PAM also for account processing as both are used when "UsePAM yes"). When sshd uses PAM for account processing, PAM does not regard the exclamation mark or asterisks (ie "!" or "*") as locking the account and PAM does not prevent the SSH session from proceeding as OpenSSH does when performing accounting checking itself. I found this bug report when searching the internet for 'ssh "User root not allowed because account is locked"' and through the tip that "!" and "*" are sometimes treatly differently in regard to OpenSSH, I was able to figure out the difference in detail. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-passwd in Ubuntu. https://bugs.launchpad.net/bugs/296841 Title: root account has ! as default password Status in VMBuilder: Fix Released Status in base-passwd package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in vm-builder package in Ubuntu: Fix Released Status in base-passwd source package in Dapper: Invalid Status in shadow source package in Dapper: Fix Released Status in vm-builder source package in Dapper: Invalid Status in base-passwd source package in Gutsy: Invalid Status in shadow source package in Gutsy: Fix Released Status in vm-builder source package in Gutsy: Invalid Status in base-passwd source package in Hardy: Invalid Status in shadow source package in Hardy: Fix Released Status in vm-builder source package in Hardy: Invalid Status in base-passwd source package in Intrepid: Invalid Status in shadow source package in Intrepid: Fix Released Status in vm-builder source package in Intrepid: Fix Released Status in base-passwd source package in Jaunty: Fix Released Status in shadow source package in Jaunty: Fix Released Status in vm-builder source package in Jaunty: Fix Released Bug description: Mathiaz reported that vm created for ec2 could be logged on to the root account using ! as a password It was later verified that this problem could be reproduced on any vm generated by python-vm-builder and some version of ubuntu-vm-builder. Security fix for uvb in hardy fixed this but was later on reverted in the version in -proposed Test: Create a vm using "sudo vmbuilder kvm ubuntu --addpkg openssh-server" Start the VM Log in using ssh root@vm with password ! To manage notifications about this bug go to: https://bugs.launchpad.net/vmbuilder/+bug/296841/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
