| 1 |
On Monday 18 September 2006 14:52, Jorge Almeida wrote: |
| 2 |
> On Mon, 18 Sep 2006, Noack, Sebastian wrote: |
| 3 |
> > The second field in /etc/passwd stands also for the |
| 4 |
> > password hash. But since storing passwords in /etc/passwd |
| 5 |
> > is deprecated, it should ever be an invalid hash like "x" |
| 6 |
> > or "*" for example. |
| 7 |
> |
| 8 |
> Yes, but that holds for normal accounts as well as for |
| 9 |
> "service" accounts. What I was saying is that a * in |
| 10 |
> /etc/shadow will make logging in impossible. Did I understand |
| 11 |
> wrong? |
| 12 |
|
| 13 |
Maybe some RTFM is in order here :-) From man 5 shadow: |
| 14 |
|
| 15 |
"The password field must be filled. The encrypted password |
| 16 |
consists of 13 to 24 characters from the 64 characters alphabet |
| 17 |
a thru z, A thru Z, 0 thru 9, \. and /. Optionally it can start |
| 18 |
with a "$" character. This means the encrypted password was |
| 19 |
generated using another (not DES) algorithm. For example if it |
| 20 |
starts with "$1$" it means the MD5-based algorithm was used. |
| 21 |
|
| 22 |
"Refer to crypt(3) for details on how this string is |
| 23 |
interpreted. |
| 24 |
|
| 25 |
"If the password field contains some string that is not valid |
| 26 |
result of crypt(3), for instance ! or *, the user will not be |
| 27 |
able to use a unix password to log in, subject to pam(7)." |
| 28 |
|
| 29 |
A * or ! anywhere in the password hash field of /etc/shadow will |
| 30 |
make the account unloginable (is that a word???), as md5 hashes |
| 31 |
cannot contain these characters. On my system the uucp account |
| 32 |
has '*' for a hash and dovecot has "!": |
| 33 |
|
| 34 |
gentoo dvd # cat /etc/shadow |
| 35 |
uucp:*:13374:0::::: |
| 36 |
dovecot:!:13374:0:99999:7::: |
| 37 |
|
| 38 |
gentoo dvd # cat /etc/passwd |
| 39 |
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false |
| 40 |
dovecot:x:97:97:added by portage:/dev/null:/usr/sbin/nologin |
| 41 |
|
| 42 |
And these password hashes means the accounts are locked: |
| 43 |
|
| 44 |
gentoo dvd # passwd -S uucp |
| 45 |
uucp L 08/14/2006 0 -1 -1 -1 |
| 46 |
gentoo dvd # passwd -S dovecot |
| 47 |
dovecot L 08/14/2006 0 99999 7 -1 |
| 48 |
|
| 49 |
I can't login to either of these accounts, and 'su -' from a |
| 50 |
root console to either account also fails - one silently, the |
| 51 |
other with a message about account cannot be used. I thought |
| 52 |
this might be the work of the shell in /etc/passwd, not the |
| 53 |
password itself, so I tested it and made /bin/bash the shell |
| 54 |
for both, then used 'su -' for both from a root console: |
| 55 |
|
| 56 |
gentoo dvd # su - uucp |
| 57 |
No directory, logging in with HOME=/ |
| 58 |
uucp@gentoo / |
| 59 |
|
| 60 |
$gentoo dvd # su - dovecot |
| 61 |
No directory, logging in with HOME=/ |
| 62 |
dovecot@gentoo / $ |
| 63 |
|
| 64 |
*********** |
| 65 |
|
| 66 |
So, in summary: '*' and '!' in /etc/shadow seem to have the same |
| 67 |
effect, and if present, passwd considers the account to be |
| 68 |
locked. The account is still perfectly useable and works in all |
| 69 |
other respects as long as you don't have to do a password login |
| 70 |
to use it (e.g. 'su -' as root). |
| 71 |
|
| 72 |
To be certain if there's a difference between '*' and '!' or any |
| 73 |
other character, you'd have to read the code - but I myself am |
| 74 |
not up to that today :-) |
| 75 |
|
| 76 |
alan |
| 77 |
-- |
| 78 |
gentoo-user@g.o mailing list |
Archives