[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: disabling passwords, disabling logins



On Tue, 08 Mar 2022 at 17:49:04 +0100, Marc Haber wrote:
> (3)
> #625758
> --disabled-password just does not set a password for the newly created
> account (resulting in '*' in shadow) while --disabled-login places a '!'
> in shadow. On modern systems with PAM, both variants seem to be
> identical, allowing login via ssh.

I assume you mean: allowing login via ssh if other steps have been taken
to allow it, like creating and populating ~/.ssh/authorized_keys?

This ties in with the suggestion that system accounts should be "locked"
(usermod -L -e 1) when the package that owns them is removed. usermod -L
edits the crypted password in /etc/shadow to prevent login, by prepending
'!', which is not a possible crypt(3) output: so it seems the distinction
between these options is something like:

--disabled-password: the new account doesn't have a valid password, so
password authentication will always fail

--disabled-login: the new account has an empty password but is "locked";
so password authentication will fail, but "unlocking" the account will
result in login being accepted with a blank password (subject to other
policies like ssh PermitEmptyPasswords and PAM nullok)

    smcv


Reply to: