[Adduser-devel] Bug#625758: 'adduser --disabled-login' does not behave as documented.
Stephen Gran
sgran at debian.org
Fri Jul 26 18:39:00 UTC 2013
This one time, at band camp, Sam Morris said:
> tag 625758 + patch
> thanks
>
> With --disabled-password, the password field is set to '!'; with
> --disabled-login, it is set to '*'. pam_unix checks for both in
> verify_pw_hash:
>
> } else if (!p || *hash == '*' || *hash == '!') {
> retval = PAM_AUTH_ERR;
>
> Therefore I don't see the use of having both options, unless some other
> software cares about the difference between the two values,
They do mean something different:
From the wikipedia page:
"NP" or "!" or null - No password, the account has no password.
"LK" or "*" - the account is Locked, user will be unable to log-in
There is a semantic difference between the two. ! in the field says
that authentication with a password should never succeed. * says that
login should never succeed, even if alternate forms of authentication
(such as ssh keys) are in use. The above chunk of code is correct if it
is in a password checking routine - both should return false for
authentication.
Cheers,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran at debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20130726/952dd728/attachment.sig>
More information about the Adduser-devel
mailing list