For backups, I set up operator to dump & scp to another box, so he needs
$HOME/.ssh/:
$ sudo usermod -L daemon operator
$ sudo chsh -s /bin/ksh operator
$ sudo mkdir /operator
$ sudo chown operator:operator /operator
$ sudo chmod 750 operator /operator
$ userinfo operator
login operator
passwd *
uid 2
groups operator
change NEVER
class
gecos System &
dir /operator
shell /bin/ksh
expire NEVER
>From the daily security email:
Running security(8):
Checking the /etc/master.passwd file:
Login operator is off but still has a valid shell and alternate access
files in home directory are still readable.
Which I think could be part of security(8) .Check the master.passwd(5)
and group(5) files for syntax, empty passwords, partially closed
accounts.....
$ sudo fgrep operator /etc/master.passwd
operator:*:2:5::0:0:System &:/operator:/bin/ksh
master.passwd(5) says:
Similarly, login accounts not allowing password authentication but
allowing other authentication methods, for example public key
authentication, conventionally have 13 asterisks in the password field.
The alert comes from check_access_file() in /usr/libexec/security
Which comes from approx line 94 in check_passwd():
$pwd ne '' &&
$pwd ne 'skey' &&
length $pwd != 13 &&
$pwd !~ /^\$[0-9a-f]+\$/ &&
Do I need to change operator's password to be 13 *'s?
What's the best way to do that as I have this in /etc/login.conf:
default:\
:passwordcheck=/usr/local/bin/pwqcheck -1:\
Cheers,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
