public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* AW: [gentoo-user] x or * in /etc/passwd ?
@ 2006-09-18 10:04 Noack, Sebastian
  2006-09-18 12:52 ` Jorge Almeida
  0 siblings, 1 reply; 3+ messages in thread
From: Noack, Sebastian @ 2006-09-18 10:04 UTC (permalink / raw
  To: gentoo-user

The second field in /etc/passwd stands also for the password hash. But
since storing passwords in /etc/passwd is deprecated, it should ever be
an invalid hash like "x" or "*" for example.

Regards
Sebastian Noack

> OK, thank you. The * should appear in /etc/shadow, not in /etc/passwd.
> --
> Jorge Almeida

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: AW: [gentoo-user] x or * in /etc/passwd ?
  2006-09-18 10:04 AW: [gentoo-user] x or * in /etc/passwd ? Noack, Sebastian
@ 2006-09-18 12:52 ` Jorge Almeida
  2006-09-18 13:32   ` Alan McKinnon
  0 siblings, 1 reply; 3+ messages in thread
From: Jorge Almeida @ 2006-09-18 12:52 UTC (permalink / raw
  To: gentoo-user

On Mon, 18 Sep 2006, Noack, Sebastian wrote:

> The second field in /etc/passwd stands also for the password hash. But
> since storing passwords in /etc/passwd is deprecated, it should ever be
> an invalid hash like "x" or "*" for example.
>
Yes, but that holds for normal accounts as well as for "service"
accounts. What I was saying is that a * in /etc/shadow will make logging
in impossible. Did I understand wrong?
-- 
Jorge Almeida
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: AW: [gentoo-user] x or * in /etc/passwd ?
  2006-09-18 12:52 ` Jorge Almeida
@ 2006-09-18 13:32   ` Alan McKinnon
  0 siblings, 0 replies; 3+ messages in thread
From: Alan McKinnon @ 2006-09-18 13:32 UTC (permalink / raw
  To: gentoo-user

On Monday 18 September 2006 14:52, Jorge Almeida wrote:
> On Mon, 18 Sep 2006, Noack, Sebastian wrote:
> > The second field in /etc/passwd stands also for the
> > password hash. But since storing passwords in /etc/passwd
> > is deprecated, it should ever be an invalid hash like "x"
> > or "*" for example.
>
> Yes, but that holds for normal accounts as well as for
> "service" accounts. What I was saying is that a * in
> /etc/shadow will make logging in impossible. Did I understand
> wrong?

Maybe some RTFM is in order here :-) From man 5 shadow:

"The password field must be filled. The encrypted password 
consists of 13 to 24 characters from the 64 characters alphabet
a thru z, A thru Z, 0 thru 9, \. and /. Optionally it can start
with a "$" character. This means the encrypted password was
generated using another (not DES) algorithm. For example if it
starts with "$1$" it means the MD5-based algorithm was used.

"Refer to crypt(3) for details on how this string is 
interpreted.

"If the password field contains some string that is not valid
result of crypt(3), for instance ! or *, the user will not be
able to use a unix password to log in, subject to pam(7)."

A * or ! anywhere in the password hash field of /etc/shadow will 
make the account unloginable (is that a word???), as md5 hashes 
cannot contain these characters. On my system the uucp account 
has '*' for a hash and dovecot has "!":

gentoo dvd # cat /etc/shadow
uucp:*:13374:0:::::
dovecot:!:13374:0:99999:7:::

gentoo dvd # cat /etc/passwd
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
dovecot:x:97:97:added by portage:/dev/null:/usr/sbin/nologin

And these password hashes means the accounts are locked:

gentoo dvd # passwd -S uucp
uucp L 08/14/2006 0 -1 -1 -1
gentoo dvd # passwd -S dovecot
dovecot L 08/14/2006 0 99999 7 -1

I can't login to either of these accounts, and 'su -' from a 
root console to either account also fails - one silently, the 
other with a message about account cannot be used. I thought 
this might be the work of the shell in /etc/passwd, not the 
password itself, so I tested it and made /bin/bash the shell 
for both, then used 'su -' for both from a root console:

gentoo dvd # su - uucp
No directory, logging in with HOME=/
uucp@gentoo / 

$gentoo dvd # su - dovecot
No directory, logging in with HOME=/
dovecot@gentoo / $

***********

So, in summary: '*' and '!' in /etc/shadow seem to have the same 
effect, and if present, passwd considers the account to be 
locked. The account is still perfectly useable and works in all 
other respects as long as you don't have to do a password login 
to use it (e.g. 'su -' as root).

To be certain if there's a difference between '*' and '!' or any 
other character, you'd have to read the code - but I myself am 
not up to that today :-)

alan
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-09-18 13:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-18 10:04 AW: [gentoo-user] x or * in /etc/passwd ? Noack, Sebastian
2006-09-18 12:52 ` Jorge Almeida
2006-09-18 13:32   ` Alan McKinnon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox