[Adduser-devel] Bug#625758: 'adduser --disabled-login' does not behave as documented.

Stephen Gran sgran at debian.org
Sat Jul 27 07:44:55 UTC 2013

This one time, at band camp, Sam Morris said:
> On Fri, 2013-07-26 at 19:39 +0100, Stephen Gran wrote:
> > This one time, at band camp, Sam Morris said:
> > > Therefore I don't see the use of having both options, unless some other
> > > software cares about the difference between the two values,
> > 
> > They do mean something different:
> > 
> > From the wikipedia page:
> > 
> > "NP" or "!" or null - No password, the account has no password.
> > "LK" or "*" - the account is Locked, user will be unable to log-in
> > 
> > There is a semantic difference between the two.  ! in the field says
> > that authentication with a password should never succeed.  * says that
> > login should never succeed, even if alternate forms of authentication
> > (such as ssh keys) are in use.  The above chunk of code is correct if it
> > is in a password checking routine - both should return false for
> > authentication.
> See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=219377>. It is
> possible to SSH in to a machine as an account with only * in its
> password field. In addition, shadow(5) doesn't draw any distinction
> between the two values:
>         If the password field contains some string that is not a valid
>         result of crypt(3), for instance ! or *, the user will not be
>         able to use a unix password to log in (but the user may log in
>         the system by other means).
> pam_unix's accounting code doesn't use the password field at all--only
> the additional fields in the shadow file.
> My gut feeling is that if there ever was a distinction between the two
> values, it is lost to history. Perhaps * used to be used before the
> advent of shadow files to indicate that the entire account was locked
> rather than just the password. I don't know, I wasn't around in those
> days. :)

So, I think that maybe I'm confused - I am under the impression that
you started by saying that there is no useful difference between the
two states 'locked' and 'disabled'.  I responded by saying there was.
In defense of your statement, you've pointed me to a bug report that
says that pam now looks elsewhere to distinguish between the two states,
and that it was a bug in shadow not to set that other flag, and that
that bug is now fixed.

It seems to me that the resolution here is, "there is a semantic
difference between these two states".  How that is expressed in the passwd
file doesn't actually matter to adduser - adduser just uses passwd and
the other tools to manipulate the files.  If there were bugs in their
handling of the files that are now fixed, then all is well, right?

|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20130727/d673f58b/attachment.sig>

More information about the Adduser-devel mailing list