On Mon, Feb 11, 2013 at 10:57:46PM +0100, Antoine Jacoutot wrote: > On Mon, Feb 11, 2013 at 10:11:25PM +0100, André Stöbe wrote: > > Antoine Jacoutot wrote: > > > This diff adds 2 new options to usermod(8): > > > -U to unlock a user's password > > > -Z to lock a user's password > > > > Today I was working with these two switches and really got confused. > > I've tested the following with snapshots from Jan 11 and 5.3-beta. > > > > I've got a user with 13 asterisks in the password field as described in > > passwd(5): > > test:*************:1002:1002::0:0:,,,:/home/test:/bin/ksh > > > > After locking the account with "usermod -Z test": > > test:*************:1002:1002::0:0:,,,:/home/test:/bin/ksh- > > > > After unlocking the account with "usermod -U test": > > test:************:1002:1002::0:0:,,,:/home/test:/bin > > > > 1) The login shell is broken. > > 2) The password field consists of 12 asterisks. I'd expect it to be just > > the same as it was before unlocking the account. This propably makes > > security(8) complain, and more importantly, it never adds an asterisk > > when locking but always removes an asterisk when unlocking, so the > > account would be accessible without a password after some lock-unlock > > cycles (at least the shell is still broken): > > test::1002:1002::0:0:,,,:/home/test:/bin > > > > Can't tell if this problem relates to users with normal password > > authentication. I did only test users with 13 asterisks in the password > > field. > > I'll have a look.
OK, I was reading passwd(5) and now I'm asking myself - why the hell do daemons from ports have 13 asterisks in password field (base daemons just have single asterisk)? _tor:*************:566:566:daemon:0:0:tor:/nonexistent:/sbin/nologin This is obviously not intended to be an account for logging in even via some "other authentication methods". jirib
