[Adduser-devel] Bug#625758: 'adduser --disabled-login' does not behave as documented.

[Matthew Woodcraft]

Package: adduser
Version: 3.112+nmu2
Severity: normal

The adduser manpage in squeeze contains the following:

   --disabled-login
          Do  not  run passwd to set the password.  The user won't be able
          to use her account until the password is set.

   --disabled-password
          Like --disabled-login, but logins are still possible (for  exam‐
          ple using SSH RSA keys) but not using password authentication.

Similar text has been there for many years, but it hasn't really been
true in Debian since whenever 'UsePAM yes' became the default in
sshd_config: an account created using --disabled-login can still be used
to log in using public-key authentication without a password being set.

I think either the adduser manpage should be changed to not imply that
disabled-login will prevent SSH public-key logins, or else adduser
--disabled-login should be changed to do the equivalent of 'chage -E 1'.


Versions of packages adduser depends on:
ii  debconf [de 1.5.36.1                     Debian configuration management sy
ii  passwd      1:4.1.4.2+svn3283-2+squeeze1 change and administer password and
ii  perl-base   5.10.1-17                    minimal Perl system