On Wed, Sep 11, 2013 at 10:37:12AM +0100, Craig R. Skinner wrote: > For backups, I set up operator to dump & scp to another box, so he needs > $HOME/.ssh/: > > $ sudo usermod -L daemon operator > $ sudo chsh -s /bin/ksh operator > $ sudo mkdir /operator > $ sudo chown operator:operator /operator > $ sudo chmod 750 operator /operator > > > $ userinfo operator > login operator > passwd * > uid 2 > groups operator > change NEVER > class > gecos System & > dir /operator > shell /bin/ksh > expire NEVER > > From the daily security email: > > Running security(8): > > Checking the /etc/master.passwd file: > Login operator is off but still has a valid shell and alternate access > files in home directory are still readable. > > Which I think could be part of security(8) .Check the master.passwd(5) > and group(5) files for syntax, empty passwords, partially closed > accounts..... > > $ sudo fgrep operator /etc/master.passwd > operator:*:2:5::0:0:System &:/operator:/bin/ksh > > master.passwd(5) says: > Similarly, login accounts not allowing password authentication but > allowing other authentication methods, for example public key > authentication, conventionally have 13 asterisks in the password field. > > The alert comes from check_access_file() in /usr/libexec/security > Which comes from approx line 94 in check_passwd(): > $pwd ne '' && > $pwd ne 'skey' && > length $pwd != 13 && > $pwd !~ /^\$[0-9a-f]+\$/ && > > > > Do I need to change operator's password to be 13 *'s? > > What's the best way to do that as I have this in /etc/login.conf: > default:\ > :passwordcheck=/usr/local/bin/pwqcheck -1:\
vipw(8) -- Antoine
