Re: adduser: disabling passwords, disabling logins
On Tue, 8 Mar 2022 18:40:11 +0000, Simon McVittie <smcv@debian.org>
wrote:
>On Tue, 08 Mar 2022 at 17:49:04 +0100, Marc Haber wrote:
>> (3)
>> #625758
>> --disabled-password just does not set a password for the newly created
>> account (resulting in '*' in shadow) while --disabled-login places a '!'
>> in shadow. On modern systems with PAM, both variants seem to be
>> identical, allowing login via ssh.
>
>I assume you mean: allowing login via ssh if other steps have been taken
>to allow it, like creating and populating ~/.ssh/authorized_keys?
Yes, right.
>This ties in with the suggestion that system accounts should be "locked"
>(usermod -L -e 1) when the package that owns them is removed.
Yes.
>usermod -L
>edits the crypted password in /etc/shadow to prevent login, by prepending
>'!', which is not a possible crypt(3) output: so it seems the distinction
>between these options is something like:
>
>--disabled-password: the new account doesn't have a valid password, so
>password authentication will always fail
>
>--disabled-login: the new account has an empty password but is "locked";
>so password authentication will fail, but "unlocking" the account will
>result in login being accepted with a blank password (subject to other
>policies like ssh PermitEmptyPasswords and PAM nullok)
that way, --disabled-login doesnt sound desireable at all, it would
violate the principle of least surprise at least for me. I'd have
expected (and always believed) that a password of ! will also prevent
ssh-key logins from happening.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: