[Adduser-devel] Bug#625758: 'adduser --disabled-login' does not behave as documented.
sam at robots.org.uk
Fri Jul 26 19:17:51 UTC 2013
On Fri, 2013-07-26 at 19:39 +0100, Stephen Gran wrote:
> This one time, at band camp, Sam Morris said:
> > Therefore I don't see the use of having both options, unless some other
> > software cares about the difference between the two values,
> They do mean something different:
> From the wikipedia page:
> "NP" or "!" or null - No password, the account has no password.
> "LK" or "*" - the account is Locked, user will be unable to log-in
> There is a semantic difference between the two. ! in the field says
> that authentication with a password should never succeed. * says that
> login should never succeed, even if alternate forms of authentication
> (such as ssh keys) are in use. The above chunk of code is correct if it
> is in a password checking routine - both should return false for
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=219377>. It is
possible to SSH in to a machine as an account with only * in its
password field. In addition, shadow(5) doesn't draw any distinction
between the two values:
If the password field contains some string that is not a valid
result of crypt(3), for instance ! or *, the user will not be
able to use a unix password to log in (but the user may log in
the system by other means).
pam_unix's accounting code doesn't use the password field at all--only
the additional fields in the shadow file.
My gut feeling is that if there ever was a distinction between the two
values, it is lost to history. Perhaps * used to be used before the
advent of shadow files to indicate that the entire account was locked
rather than just the password. I don't know, I wasn't around in those
Sam Morris <https://robots.org.uk/>
3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part
More information about the Adduser-devel