From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GPJME-0002dt-MG for garchives@archives.gentoo.org; Mon, 18 Sep 2006 13:40:23 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.6) with SMTP id k8IDd3UT017391; Mon, 18 Sep 2006 13:39:03 GMT Received: from cranium.sybase.co.za (sqlprd.sybase.co.za [192.96.139.1]) by robin.gentoo.org (8.13.8/8.13.6) with ESMTP id k8IDWdTq008100 for ; Mon, 18 Sep 2006 13:32:41 GMT Received: from localhost (cranium.sybase.co.za [127.0.0.1]) by cranium.sybase.co.za (Postfix) with ESMTP id B15AF83437 for ; Mon, 18 Sep 2006 15:36:33 +0200 (SAST) X-Virus-Scanned: amavisd-new at sybase.co.za Received: from cranium.sybase.co.za ([127.0.0.1]) by localhost (cranium.sybase.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HilxyHaulAwz for ; Mon, 18 Sep 2006 15:36:25 +0200 (SAST) Received: from [192.168.2.73] (unknown [192.168.2.73]) by cranium.sybase.co.za (Postfix) with ESMTP id 98ACB8342B for ; Mon, 18 Sep 2006 15:36:20 +0200 (SAST) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: AW: [gentoo-user] x or * in /etc/passwd ? Date: Mon, 18 Sep 2006 15:32:34 +0200 User-Agent: KMail/1.9.4 References: <7B97065F451A23458ED0C63B4CA5A2EA7C4ACD@SRV-EXCHANGE.AUTOonline.local> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200609181532.35167.alan@linuxholdings.co.za> X-Archives-Salt: b09e30fb-32a7-4923-bc3e-64799983d138 X-Archives-Hash: 6593d8a5607181dde952649258f12502 On Monday 18 September 2006 14:52, Jorge Almeida wrote: > On Mon, 18 Sep 2006, Noack, Sebastian wrote: > > The second field in /etc/passwd stands also for the > > password hash. But since storing passwords in /etc/passwd > > is deprecated, it should ever be an invalid hash like "x" > > or "*" for example. > > Yes, but that holds for normal accounts as well as for > "service" accounts. What I was saying is that a * in > /etc/shadow will make logging in impossible. Did I understand > wrong? Maybe some RTFM is in order here :-) From man 5 shadow: "The password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 characters alphabet a thru z, A thru Z, 0 thru 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used. "Refer to crypt(3) for details on how this string is interpreted. "If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7)." A * or ! anywhere in the password hash field of /etc/shadow will make the account unloginable (is that a word???), as md5 hashes cannot contain these characters. On my system the uucp account has '*' for a hash and dovecot has "!": gentoo dvd # cat /etc/shadow uucp:*:13374:0::::: dovecot:!:13374:0:99999:7::: gentoo dvd # cat /etc/passwd uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false dovecot:x:97:97:added by portage:/dev/null:/usr/sbin/nologin And these password hashes means the accounts are locked: gentoo dvd # passwd -S uucp uucp L 08/14/2006 0 -1 -1 -1 gentoo dvd # passwd -S dovecot dovecot L 08/14/2006 0 99999 7 -1 I can't login to either of these accounts, and 'su -' from a root console to either account also fails - one silently, the other with a message about account cannot be used. I thought this might be the work of the shell in /etc/passwd, not the password itself, so I tested it and made /bin/bash the shell for both, then used 'su -' for both from a root console: gentoo dvd # su - uucp No directory, logging in with HOME=/ uucp@gentoo / $gentoo dvd # su - dovecot No directory, logging in with HOME=/ dovecot@gentoo / $ *********** So, in summary: '*' and '!' in /etc/shadow seem to have the same effect, and if present, passwd considers the account to be locked. The account is still perfectly useable and works in all other respects as long as you don't have to do a password login to use it (e.g. 'su -' as root). To be certain if there's a difference between '*' and '!' or any other character, you'd have to read the code - but I myself am not up to that today :-) alan -- gentoo-user@gentoo.org mailing list