[Adduser-devel] Bug#412742: adduser: neither disabled{password, login} disables the account

Justin Pryzby justinpryzby at users.sourceforge.net
Tue Feb 27 19:56:47 CET 2007

Package: adduser
Version: 3.102

adduser has 2 options:

|adduser [--home DIR] [--shell SHELL] [--no-create-home] [--uid ID]
|[--firstuid ID] [--lastuid ID] [--gecos GECOS] [--ingroup GROUP | --gid ID]
|[--disabled-password] [--disabled-login] USER
 ^^^^^^^^^^^^^^^^^^^   ^^^^^^^^^^^^^^^^
|  Add a normal user

Internally, disabled-login seems to disable more than disabled-password:
            "disabled-password" => sub { $ask_passwd = 0 },
	    "disabled-login" => sub { $disabled_login = 1; $ask_passwd = 0 },

And the manpage is consistent with this interpretation:

|      --disabled-login
|      Do not run passwd to set the password.  The user won't be able
|      to use her account until the password is set.

|      --disabled-password
|      Like --disabled-login, but logins are still possible (for exam-
|      ple using SSH RSA keys) but not using password authentication.

So I expect disabled-password users to be able to login with RSA keys, and
disabled-login users to be completely disabled?  Both of them accept RSA auth
over SSH.  Is there some RSA auth that can happen locally??

disabled-login makes the shadow file have a "*":  

|   } else /* if ($ask_passwd) */ {
|                   if(!$disabled_login) {
|       		    my $usermod = &which('usermod');
|       		    &systemcall($usermod, '-p', '*', $new_name);
|       	    }
|   }

Is some broken login program supposed to be checking for * as a special case?
Are the 1-character flags [x!*] supposed to act differently?

Similar bugs include 389183.

More information about the Adduser-devel mailing list