Re: Seeking consensus for some changes in adduser
On Thu, Mar 10, 2022 at 09:35:27PM +0100, Marc Haber wrote:
> On Wed, 09 Mar 2022 21:34:33 +0100, Pierre-Elliott Bécue
> <peb@debian.org> wrote:
> >Considering many have replied, I'll stick to that one:
> >Marc Haber <mh+debian-devel@zugschlus.de> wrote on 08/03/2022 at 17:49:04+0100:
> >> (3)
> >> #625758
> >> --disabled-password just does not set a password for the newly created
> >> account (resulting in '*' in shadow) while --disabled-login places a '!'
> >> in shadow. On modern systems with PAM, both variants seem to be
> >> identical, allowing login via ssh. Aside from the documentation needing
> >> change to document reality, should we introduce a --no-set-password
> >> option and deprecate the two older options (to be removed in trixie+2)?
> >
> >How about --disabled-login => shell is set to /usr/sbin/nologin ?
>
> I have noted that as one of the options for my summary. I assume that
> in that case, the password should still be * to avoid creating an
> active unlocked account with empty password?
+1 to --disabled-login setting the shell to /usr/sbin/nologin with
documentation being updated to reflect this. I'd suggest a default
behavior of a password of '*', with the ability to override it and
prompt for a real password with a "--set-password". Although honestly,
I also wouldn't be opposed to requiring an extra step of calling
'usermod' to set a password for a disabled account. It's sort of a
special case, and not one that has to be explicitly handled by adduser.
noah
Reply to: