[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

On Mon, May 09, 2005 at 01:14:27PM -0400, Stephen Gran wrote:
> This one time, at band camp, Marc Haber said:
> > On Mon, 09 May 2005 15:34:06 +0300, Shaul Karl <shaulk@013.net> wrote:
> > >adduser(8) states that 
> > >
> > >    With the --disabled-login option, the account will be created but
> > >    will be disabled until a password is set. The --disabled-password
> > >    option will not set a password, but login are still possible for
> > >    example through SSH RSA keys.
> > >
> > >I wonder what is the difference?
> > 
> > One disables the account, the other sets an invalid password. I think
> > that the manpage is quite clear about that.
> >
> > >Perhaps what I really should have asked is about the contents of
> > >/etc/{passwd,shadow}'s password field for disabled accounts.
> > 
> > One is "*", the other is "!". I never know which is which.
> * is disabled, IIRC, and ! is an invalid password (but would still allow
> logging in with, e.g, an ssh key).  Or so my (often faulty) memory says.

  According to shadow(5),

    If the password field contains some string that is not valid result of
    crypt(3), for instance ! or *, the user will not be able to use a unix
    password to log in, subject to pam(7). 

The way I understand it, the effect of ! or * is identical.
Alternatively, the difference is set by the configuration of pam, which,
I believe, is out of adduser scope. This match my experience that login
through SSH RSA key is possible even if a '!' is used.
  In any case, am I right that adduser's --disabled-login and 
--disabled-password looks to be the same?

> Why didn't you ask the adduser maintainers?

  I need to verify my experience: am I wrong that on a default Debian
system a '!' doesn't prevent login through SSH RSA key? Perhaps a
wishlist bug should be submitted against pam?

Reply to: