Bug#412742: [Adduser-devel] Bug#412742: adduser: neither
disabled{password, login} disables the account
Justin Pryzby
justinpryzby at users.sourceforge.net
Wed Feb 28 08:39:32 CET 2007
On Tue, Feb 27, 2007 at 11:16:49PM +0000, Stephen Gran wrote:
> This one time, at band camp, Justin Pryzby said:
> > adduser has 2 options:
> > |[--disabled-password] [--disabled-login] USER
> > ^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
> >
> > Internally, disabled-login seems to disable more than disabled-password:
> > "disabled-password" => sub { $ask_passwd = 0 },
> > "disabled-login" => sub { $disabled_login = 1; $ask_passwd = 0 },
> >
> > And the manpage is consistent with this interpretation:
>
> Correct so far.
>
> > So I expect disabled-password users to be able to login with RSA keys, and
> > disabled-login users to be completely disabled? Both of them accept RSA auth
> > over SSH. Is there some RSA auth that can happen locally??
>
> All RSA auth happens 'locally', in the sense that the public key being
> offered has to be somewhere local for the key exchange to succeed. But
> this is a fairly obvious answer, so I'm not sure that's what you were
> really asking.
I was asking if there was some auth mechanism I'm not aware of that
doesn't use a password that is affected by --disabled-login, which makes
that option useful..
> > Is some broken login program supposed to be checking for * as a special case?
> > Are the 1-character flags [x!*] supposed to act differently?
> >
> > Similar bugs include 389183.
>
> And as you'll note, they all run into the same limitation you're
> finding. It's a fundamental flaw in the overloading of the meaning of
> the field. According to shadow(5):
>
> "If the password field contains some string that is not valid result
> of crypt(3), for instance ! or *, the user will not be able to use a
> unix password to log in, subject to pam(7)."
>
> I am not sure how this is a bug in adduser, though. All that adduser
> can do is handle values available to us through standard tools like
> usermod and passwd. It explicitly does not rewrite your pam stack or
> your sshd config. But I'm assuming you know that as well, so how are
> you hoping to see this resolved?
What is it that --disabled-login does that --disabled-password doesn't?
More information about the Adduser-devel
mailing list