On Tue, 8 Mar 2022 18:40:11 +0000, Simon McVittie <s...@debian.org> wrote: >On Tue, 08 Mar 2022 at 17:49:04 +0100, Marc Haber wrote: >> (3) >> #625758 >> --disabled-password just does not set a password for the newly created >> account (resulting in '*' in shadow) while --disabled-login places a '!' >> in shadow. On modern systems with PAM, both variants seem to be >> identical, allowing login via ssh. > >I assume you mean: allowing login via ssh if other steps have been taken >to allow it, like creating and populating ~/.ssh/authorized_keys?
Yes, right. >This ties in with the suggestion that system accounts should be "locked" >(usermod -L -e 1) when the package that owns them is removed. Yes. >usermod -L >edits the crypted password in /etc/shadow to prevent login, by prepending >'!', which is not a possible crypt(3) output: so it seems the distinction >between these options is something like: > >--disabled-password: the new account doesn't have a valid password, so >password authentication will always fail > >--disabled-login: the new account has an empty password but is "locked"; >so password authentication will fail, but "unlocking" the account will >result in login being accepted with a blank password (subject to other >policies like ssh PermitEmptyPasswords and PAM nullok) that way, --disabled-login doesnt sound desireable at all, it would violate the principle of least surprise at least for me. I'd have expected (and always believed) that a password of ! will also prevent ssh-key logins from happening. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834