1 |
On Monday 18 September 2006 14:52, Jorge Almeida wrote: |
2 |
> On Mon, 18 Sep 2006, Noack, Sebastian wrote: |
3 |
> > The second field in /etc/passwd stands also for the |
4 |
> > password hash. But since storing passwords in /etc/passwd |
5 |
> > is deprecated, it should ever be an invalid hash like "x" |
6 |
> > or "*" for example. |
7 |
> |
8 |
> Yes, but that holds for normal accounts as well as for |
9 |
> "service" accounts. What I was saying is that a * in |
10 |
> /etc/shadow will make logging in impossible. Did I understand |
11 |
> wrong? |
12 |
|
13 |
Maybe some RTFM is in order here :-) From man 5 shadow: |
14 |
|
15 |
"The password field must be filled. The encrypted password |
16 |
consists of 13 to 24 characters from the 64 characters alphabet |
17 |
a thru z, A thru Z, 0 thru 9, \. and /. Optionally it can start |
18 |
with a "$" character. This means the encrypted password was |
19 |
generated using another (not DES) algorithm. For example if it |
20 |
starts with "$1$" it means the MD5-based algorithm was used. |
21 |
|
22 |
"Refer to crypt(3) for details on how this string is |
23 |
interpreted. |
24 |
|
25 |
"If the password field contains some string that is not valid |
26 |
result of crypt(3), for instance ! or *, the user will not be |
27 |
able to use a unix password to log in, subject to pam(7)." |
28 |
|
29 |
A * or ! anywhere in the password hash field of /etc/shadow will |
30 |
make the account unloginable (is that a word???), as md5 hashes |
31 |
cannot contain these characters. On my system the uucp account |
32 |
has '*' for a hash and dovecot has "!": |
33 |
|
34 |
gentoo dvd # cat /etc/shadow |
35 |
uucp:*:13374:0::::: |
36 |
dovecot:!:13374:0:99999:7::: |
37 |
|
38 |
gentoo dvd # cat /etc/passwd |
39 |
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false |
40 |
dovecot:x:97:97:added by portage:/dev/null:/usr/sbin/nologin |
41 |
|
42 |
And these password hashes means the accounts are locked: |
43 |
|
44 |
gentoo dvd # passwd -S uucp |
45 |
uucp L 08/14/2006 0 -1 -1 -1 |
46 |
gentoo dvd # passwd -S dovecot |
47 |
dovecot L 08/14/2006 0 99999 7 -1 |
48 |
|
49 |
I can't login to either of these accounts, and 'su -' from a |
50 |
root console to either account also fails - one silently, the |
51 |
other with a message about account cannot be used. I thought |
52 |
this might be the work of the shell in /etc/passwd, not the |
53 |
password itself, so I tested it and made /bin/bash the shell |
54 |
for both, then used 'su -' for both from a root console: |
55 |
|
56 |
gentoo dvd # su - uucp |
57 |
No directory, logging in with HOME=/ |
58 |
uucp@gentoo / |
59 |
|
60 |
$gentoo dvd # su - dovecot |
61 |
No directory, logging in with HOME=/ |
62 |
dovecot@gentoo / $ |
63 |
|
64 |
*********** |
65 |
|
66 |
So, in summary: '*' and '!' in /etc/shadow seem to have the same |
67 |
effect, and if present, passwd considers the account to be |
68 |
locked. The account is still perfectly useable and works in all |
69 |
other respects as long as you don't have to do a password login |
70 |
to use it (e.g. 'su -' as root). |
71 |
|
72 |
To be certain if there's a difference between '*' and '!' or any |
73 |
other character, you'd have to read the code - but I myself am |
74 |
not up to that today :-) |
75 |
|
76 |
alan |
77 |
-- |
78 |
gentoo-user@g.o mailing list |