* AW: [gentoo-user] x or * in /etc/passwd ?
@ 2006-09-18 10:04 Noack, Sebastian
2006-09-18 12:52 ` Jorge Almeida
0 siblings, 1 reply; 3+ messages in thread
From: Noack, Sebastian @ 2006-09-18 10:04 UTC (permalink / raw
To: gentoo-user
The second field in /etc/passwd stands also for the password hash. But
since storing passwords in /etc/passwd is deprecated, it should ever be
an invalid hash like "x" or "*" for example.
Regards
Sebastian Noack
> OK, thank you. The * should appear in /etc/shadow, not in /etc/passwd.
> --
> Jorge Almeida
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: AW: [gentoo-user] x or * in /etc/passwd ?
2006-09-18 10:04 AW: [gentoo-user] x or * in /etc/passwd ? Noack, Sebastian
@ 2006-09-18 12:52 ` Jorge Almeida
2006-09-18 13:32 ` Alan McKinnon
0 siblings, 1 reply; 3+ messages in thread
From: Jorge Almeida @ 2006-09-18 12:52 UTC (permalink / raw
To: gentoo-user
On Mon, 18 Sep 2006, Noack, Sebastian wrote:
> The second field in /etc/passwd stands also for the password hash. But
> since storing passwords in /etc/passwd is deprecated, it should ever be
> an invalid hash like "x" or "*" for example.
>
Yes, but that holds for normal accounts as well as for "service"
accounts. What I was saying is that a * in /etc/shadow will make logging
in impossible. Did I understand wrong?
--
Jorge Almeida
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: AW: [gentoo-user] x or * in /etc/passwd ?
2006-09-18 12:52 ` Jorge Almeida
@ 2006-09-18 13:32 ` Alan McKinnon
0 siblings, 0 replies; 3+ messages in thread
From: Alan McKinnon @ 2006-09-18 13:32 UTC (permalink / raw
To: gentoo-user
On Monday 18 September 2006 14:52, Jorge Almeida wrote:
> On Mon, 18 Sep 2006, Noack, Sebastian wrote:
> > The second field in /etc/passwd stands also for the
> > password hash. But since storing passwords in /etc/passwd
> > is deprecated, it should ever be an invalid hash like "x"
> > or "*" for example.
>
> Yes, but that holds for normal accounts as well as for
> "service" accounts. What I was saying is that a * in
> /etc/shadow will make logging in impossible. Did I understand
> wrong?
Maybe some RTFM is in order here :-) From man 5 shadow:
"The password field must be filled. The encrypted password
consists of 13 to 24 characters from the 64 characters alphabet
a thru z, A thru Z, 0 thru 9, \. and /. Optionally it can start
with a "$" character. This means the encrypted password was
generated using another (not DES) algorithm. For example if it
starts with "$1$" it means the MD5-based algorithm was used.
"Refer to crypt(3) for details on how this string is
interpreted.
"If the password field contains some string that is not valid
result of crypt(3), for instance ! or *, the user will not be
able to use a unix password to log in, subject to pam(7)."
A * or ! anywhere in the password hash field of /etc/shadow will
make the account unloginable (is that a word???), as md5 hashes
cannot contain these characters. On my system the uucp account
has '*' for a hash and dovecot has "!":
gentoo dvd # cat /etc/shadow
uucp:*:13374:0:::::
dovecot:!:13374:0:99999:7:::
gentoo dvd # cat /etc/passwd
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
dovecot:x:97:97:added by portage:/dev/null:/usr/sbin/nologin
And these password hashes means the accounts are locked:
gentoo dvd # passwd -S uucp
uucp L 08/14/2006 0 -1 -1 -1
gentoo dvd # passwd -S dovecot
dovecot L 08/14/2006 0 99999 7 -1
I can't login to either of these accounts, and 'su -' from a
root console to either account also fails - one silently, the
other with a message about account cannot be used. I thought
this might be the work of the shell in /etc/passwd, not the
password itself, so I tested it and made /bin/bash the shell
for both, then used 'su -' for both from a root console:
gentoo dvd # su - uucp
No directory, logging in with HOME=/
uucp@gentoo /
$gentoo dvd # su - dovecot
No directory, logging in with HOME=/
dovecot@gentoo / $
***********
So, in summary: '*' and '!' in /etc/shadow seem to have the same
effect, and if present, passwd considers the account to be
locked. The account is still perfectly useable and works in all
other respects as long as you don't have to do a password login
to use it (e.g. 'su -' as root).
To be certain if there's a difference between '*' and '!' or any
other character, you'd have to read the code - but I myself am
not up to that today :-)
alan
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-09-18 13:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-18 10:04 AW: [gentoo-user] x or * in /etc/passwd ? Noack, Sebastian
2006-09-18 12:52 ` Jorge Almeida
2006-09-18 13:32 ` Alan McKinnon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox