Marc Haber <mh+debian-devel@zugschlus.de> wrote on 10/03/2022 at 21:35:27+0100: > On Wed, 09 Mar 2022 21:34:33 +0100, Pierre-Elliott Bécue > <peb@debian.org> wrote: >>Considering many have replied, I'll stick to that one: >>Marc Haber <mh+debian-devel@zugschlus.de> wrote on 08/03/2022 at 17:49:04+0100: >>> (3) >>> #625758 >>> --disabled-password just does not set a password for the newly created >>> account (resulting in '*' in shadow) while --disabled-login places a '!' >>> in shadow. On modern systems with PAM, both variants seem to be >>> identical, allowing login via ssh. Aside from the documentation needing >>> change to document reality, should we introduce a --no-set-password >>> option and deprecate the two older options (to be removed in trixie+2)? >> >>How about --disabled-login => shell is set to /usr/sbin/nologin ? > > I have noted that as one of the options for my summary. I assume that > in that case, the password should still be * to avoid creating an > active unlocked account with empty password? > > Greetings If you set /usr/sbin/nologin as the shell, any interactive usage of the account is locked for good. Of course, you could still fetch mails or things like that if the machine provides imap accounts for unix accounds, but then I'd guess someone eager to avoid that would use --disabled-password combined with --disabled-login. Altering the password with --disabled-login seems counterintuitive to me, but I'd still be fine with it. -- PEB
Attachment:
signature.asc
Description: PGP signature