tag 625758 + patch thanks With --disabled-password, the password field is set to '!'; with --disabled-login, it is set to '*'. pam_unix checks for both in verify_pw_hash:
} else if (!p || *hash == '*' || *hash == '!') {
retval = PAM_AUTH_ERR;
Therefore I don't see the use of having both options, unless some other
software cares about the difference between the two values,
On the assumption that there is no such other software, here is an patch
to note that --disabled-login doesn't do anything that
--disabled-password can't.
I've also changed a few stray '-' characters to '\-'.
--
Sam Morris <https://robots.org.uk/>
3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078
--- doc/adduser.8.orig 2013-07-26 10:55:33.570533942 +0100 +++ doc/adduser.8 2013-07-26 11:17:12.175202430 +0100 @@ -10,9 +10,9 @@ .SH NAME adduser, addgroup \- add a user or group to the system .SH SYNOPSIS -.BR adduser " [options] [\-\-home DIR] [\-\-shell SHELL] [\-\-no-create-home] [\-\-uid ID] [\-\-firstuid ID] [\-\-lastuid ID] [\-\-ingroup GROUP | \-\-gid ID] [\-\-disabled-password] [\-\-disabled-login] [\-\-gecos GECOS] [\-\-add_extra_groups] user" +.BR adduser " [options] [\-\-home DIR] [\-\-shell SHELL] [\-\-no-create-home] [\-\-uid ID] [\-\-firstuid ID] [\-\-lastuid ID] [\-\-ingroup GROUP | \-\-gid ID] [\-\-disabled\-password] [\-\-disabled\-login] [\-\-gecos GECOS] [\-\-add_extra_groups] user" .PP -.BR adduser " \-\-system [options] [\-\-home DIR] [\-\-shell SHELL] [\-\-no-create-home] [\-\-uid ID] [\-\-group | \-\-ingroup GROUP | \-\-gid ID] [\-\-disabled-password] [\-\-disabled-login] [\-\-gecos GECOS] user" +.BR adduser " \-\-system [options] [\-\-home DIR] [\-\-shell SHELL] [\-\-no-create-home] [\-\-uid ID] [\-\-group | \-\-ingroup GROUP | \-\-gid ID] [\-\-disabled\-password] [\-\-disabled\-login] [\-\-gecos GECOS] user" .PP .BR addgroup " [options] [\-\-gid ID] group" .PP @@ -92,12 +92,9 @@ a password. The gecos may also be set with the .B \-\-gecos option. With the -.B \-\-disabled-login -option, the account will be created but will be disabled until a -password is set. The -.B \-\-disabled-password -option will not set a password, but login is still possible (for example -with SSH RSA keys). +.B \-\-disabled\-password +option, the account will be created without a password being set; login +is still possible through other means (for example, with SSH RSA keys). If the file .B /usr/local/sbin/adduser.local @@ -146,7 +143,7 @@ .I /bin/false (unless overridden with the .B \-\-shell -option), and have logins disabled. Skeletal configuration files +option), and have a disabled password. Skeletal configuration files are not copied. .SS "Add a user group" If @@ -182,12 +179,14 @@ Use FILE instead of .IR /etc/adduser.conf . .TP -.B \-\-disabled-login -Do not run passwd to set the password. The user won't be able to use -her account until the password is set. +.B \-\-disabled\-login +Obsolete option with the same effect as \fB\-\-disabled\-password\fR. To disable an +account, so that login is not possible by any means, set the expiry date after +.B adduser +has been run, for example with \fBchage -E 0\fR. .TP -.B \-\-disabled-password -Like \-\-disabled-login, but logins are still possible (for example using +.B \-\-disabled\-password +Do not run passwd to set the password. Logins are still possible (for example using SSH RSA keys) but not using password authentication. .TP .B \-\-force\-badname
signature.asc
Description: This is a digitally signed message part
