Question About /etc/shadow
Oliver Grawert
ogra at ubuntu.com
Sun Oct 2 11:14:01 UTC 2016
hi,
Am Samstag, den 01.10.2016, 19:07 -0500 schrieb Jay Ridgley:
> Good Evening,
>
> I noticed that he entry for root is slightly different on two of my
> systems. I am wondering which is the more secure.
>
> In the second field each has a single character:
>
> one has !
have a look at -l and -u in the passwd manpage ..
! prefixes an existing hash to mark the account as locked.
using -l and -u will add or remove that prefix without touching the
passwd hash (to create such a user initially you can use the
--disabled-login option for the adduser command).
> the other *
the asterisk is used if there has never been a password set, i.e. if
you use "sudo adduser --disabled-password <user>"
both will prevent a password based login if they are there. accounts
that have "*" will be able to change their password, the asterisk is
replaced and they can log in in the future. accounts with "!" are not
able to change their password at all
> What are those other means and when should ! or * the be used?
>
you should not care when which is to be used, let the tools do the
right thing (there is most of the times more to it than just changing
contents of the shadow file, and the tools know what all that is) ...
these are internal markers.
simply do not edit the file by hand as a golden rule but instead use
the right options with the tools... ;)
the "other means" are for example ssh key based logins, i.e. you can
create an account with the --disabled-password option from above but
copy the ssh key in place and configure sshd for key based logins. the
user will not be able to log in on the console of the machine but can
still ssh to it.
> In reading I find that ! normally precedes the prior hash. What if
> the
> prior hash was null (no login required)?
>
then the account is still locked while the ! is there and unlocked when
it is removed. using the "former password" (i.e. nothing).
ciao
oli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20161002/f7c072bd/attachment.sig>
More information about the ubuntu-users
mailing list