Re: Empty password field for libuuid Debian-exim - Why not a security risk?
On Thu, 2009-10-15 at 22:55 -0400, Dr. Mark A. Friedman wrote: Upon installation, Debian includes users libuuid and Debian-exim in /etc/shadow with an empty password field: Which release do you use? I checked some of my systems, those accounts are locked (shadow have an exclamation mark in the password field). Franklin -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Empty password field for libuuid Debian-exim - Why not a security risk?
Upon installation, Debian includes users libuuid and Debian-exim in /etc/shadow with an empty password field: libuuid::14292:0:9:7::: Debian-exim::14377:0:9:7::: Although Debian-exim specifies /bin/false as a shell in /etc/passwd to eliminate login, libuuid does not: libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:103:105::/var/spool/exim4:/bin/false Besides which, the use of /bin/false does not eliminate use of an account in ways through ssh. e.g. http://www.semicomplete.com/articles/ssh-security/ 1) What stops one from logging into a Debian machine through libuuid or Debian-exim by specifying a blank password? Or, using ssh though one of these users and a blank password? 2) For a greater degree of comfort or security, could I change the password field to an '*' for these users without causing a problem? And, where would I see that problem if it did occur (e.g. exim is not installed on my system.)? libuuid:*:14292:0:9:7::: Debian-exim:*:14377:0:9:7::: Thanks in advance. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Empty password field for libuuid Debian-exim - Why not a security risk?
Quoth Dr. Mark A. Friedman at 2009-10-16 13:25... Upon installation, Debian includes users libuuid and Debian-exim in /etc/shadow with an empty password field: libuuid::14292:0:9:7::: Debian-exim::14377:0:9:7::: Interesting question. Can't answer it, but will recount a similar situation I've visited recently. Only last week I was looking at possible security loopholes in a web application I am writing. Found a similar scenario: Users were being created with a blank password, but not enabled. Only when the account was enabled, would they be able to log in. I surmised that if there were some unknown loophole that would allow the user active y/n check to be bypassed, entering the user name (if it were known) with a null password would allow a login to take place. To prevent this from happening, I am generating a random password (which is stored as a cryptographic hash) which is actually longer than the application will accept. Whilst I can't see any way that the user active check could be bypassed, this gives an extra level of security, just in case. Cheers M -- Matthew Smith Smiffytech - Technology Consulting Web Application Development Business: http://www.smiffytech.com/ Blog/personal: http://www.smiffysplace.com/ LinkedIn: http://www.linkedin.com/in/smiffy Skype: msmiffy Twitter: @smiffy -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Empty password field for libuuid Debian-exim - Why not a security risk?
On Thu, Oct 15, 2009 at 10:55:37PM -0400, Dr. Mark A. Friedman wrote: Upon installation, Debian includes users libuuid and Debian-exim in /etc/shadow with an empty password field: libuuid::14292:0:9:7::: Debian-exim::14377:0:9:7::: Although Debian-exim specifies /bin/false as a shell in /etc/passwd to eliminate login, libuuid does not: libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:103:105::/var/spool/exim4:/bin/false Besides which, the use of /bin/false does not eliminate use of an account in ways through ssh. e.g. http://www.semicomplete.com/articles/ssh-security/ 1) What stops one from logging into a Debian machine through libuuid or Debian-exim by specifying a blank password? Or, using ssh though one of these users and a blank password? by default ssh doesn't allow blank/empty passwords 2) For a greater degree of comfort or security, could I change the password field to an '*' for these users without causing a problem? And, where would I see that problem if it did occur (e.g. exim is not installed on my system.)? libuuid:*:14292:0:9:7::: Debian-exim:*:14377:0:9:7::: Thanks in advance. -- The important question is, how many hands have I shaked? - George W. Bush 10/23/1999 on why he hadn't spent more time in New Hampshire, New York Times signature.asc Description: Digital signature
