[Adduser-devel] Bug#625758: 'adduser --disabled-login' does not behave as documented.

Sam Morris sam at robots.org.uk
Fri Jul 26 19:17:51 UTC 2013

On Fri, 2013-07-26 at 19:39 +0100, Stephen Gran wrote:
> This one time, at band camp, Sam Morris said:
> > Therefore I don't see the use of having both options, unless some other
> > software cares about the difference between the two values,
> They do mean something different:
> From the wikipedia page:
> "NP" or "!" or null - No password, the account has no password.
> "LK" or "*" - the account is Locked, user will be unable to log-in
> There is a semantic difference between the two.  ! in the field says
> that authentication with a password should never succeed.  * says that
> login should never succeed, even if alternate forms of authentication
> (such as ssh keys) are in use.  The above chunk of code is correct if it
> is in a password checking routine - both should return false for
> authentication.

See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=219377>. It is
possible to SSH in to a machine as an account with only * in its
password field. In addition, shadow(5) doesn't draw any distinction
between the two values:

        If the password field contains some string that is not a valid
        result of crypt(3), for instance ! or *, the user will not be
        able to use a unix password to log in (but the user may log in
        the system by other means).

pam_unix's accounting code doesn't use the password field at all--only
the additional fields in the shadow file.

My gut feeling is that if there ever was a distinction between the two
values, it is lost to history. Perhaps * used to be used before the
advent of shadow files to indicate that the entire account was locked
rather than just the password. I don't know, I wasn't around in those
days. :)


Sam Morris <https://robots.org.uk/>
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20130726/fc7bb6cf/attachment.sig>

More information about the Adduser-devel mailing list