Package: passwd Version: 1:4.19.0-2 Severity: important File: /usr/sbin/chpasswd
Hi, it has been for decades a method to disable an account while preserving the password to prefix the password hash in /etc/shadow with !. This is documented in shadow(5): | encrypted password | If the password field is empty, the user can log in without a | password. However, some applications that read the /etc/shadow file | might block access if the password field is empty. | | If the password field begins with an exclamation mark !, the | password is locked. The remaining characters on the line represent | the password field before the password was locked. chpasswd in shadow 4.19.0 does not allow that any more: | # echo "aust:\!foobar" | chpasswd --encrypted | chpasswd: (line 1, user aust) invalid password hash | chpasswd: error detected, changes ignored I think this goes too far. Please consider revisiting this check. (btw, this breaks adduser's future lock/unlock functionality.). Greetings Marc -- System Information: Debian Release: forky/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.17.13+deb14-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages passwd depends on: ii base-passwd 3.6.8 ii libacl1 2.3.2-2+b1 ii libattr1 1:2.5.2-3 ii libaudit1 1:4.1.2-1+b1 ii libbsd0 0.12.2-2 ii libc6 2.42-7 ii libcrypt1 1:4.5.1-1 ii libpam-modules 1.7.0-5 ii libpam0g 1.7.0-5 ii libselinux1 3.9-4+b1 ii libsemanage2 3.9-1+b1 ii login.defs 1:4.18.0-2 Versions of packages passwd recommends: ii sensible-utils 0.0.26 passwd suggests no packages. -- no debconf information
