On Monday 18 September 2006 14:52, Jorge Almeida wrote: > On Mon, 18 Sep 2006, Noack, Sebastian wrote: > > The second field in /etc/passwd stands also for the > > password hash. But since storing passwords in /etc/passwd > > is deprecated, it should ever be an invalid hash like "x" > > or "*" for example. > > Yes, but that holds for normal accounts as well as for > "service" accounts. What I was saying is that a * in > /etc/shadow will make logging in impossible. Did I understand > wrong?
Maybe some RTFM is in order here :-) From man 5 shadow: "The password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 characters alphabet a thru z, A thru Z, 0 thru 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used. "Refer to crypt(3) for details on how this string is interpreted. "If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7)." A * or ! anywhere in the password hash field of /etc/shadow will make the account unloginable (is that a word???), as md5 hashes cannot contain these characters. On my system the uucp account has '*' for a hash and dovecot has "!": gentoo dvd # cat /etc/shadow uucp:*:13374:0::::: dovecot:!:13374:0:99999:7::: gentoo dvd # cat /etc/passwd uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false dovecot:x:97:97:added by portage:/dev/null:/usr/sbin/nologin And these password hashes means the accounts are locked: gentoo dvd # passwd -S uucp uucp L 08/14/2006 0 -1 -1 -1 gentoo dvd # passwd -S dovecot dovecot L 08/14/2006 0 99999 7 -1 I can't login to either of these accounts, and 'su -' from a root console to either account also fails - one silently, the other with a message about account cannot be used. I thought this might be the work of the shell in /etc/passwd, not the password itself, so I tested it and made /bin/bash the shell for both, then used 'su -' for both from a root console: gentoo dvd # su - uucp No directory, logging in with HOME=/ [EMAIL PROTECTED] / $gentoo dvd # su - dovecot No directory, logging in with HOME=/ [EMAIL PROTECTED] / $ *********** So, in summary: '*' and '!' in /etc/shadow seem to have the same effect, and if present, passwd considers the account to be locked. The account is still perfectly useable and works in all other respects as long as you don't have to do a password login to use it (e.g. 'su -' as root). To be certain if there's a difference between '*' and '!' or any other character, you'd have to read the code - but I myself am not up to that today :-) alan -- gentoo-user@gentoo.org mailing list
