I've got 2 replies that were very useful.
Many thanks to Darren Dunham and Matthew Stier.
My original post:
================
Hi List,
Environment: Sun Solaris 7 using NIS
On the passwd file for NIS (not on the local passwd file, here all entries
have x in the password field)
there are some entries which have an * instead of x in the password field
like:
telalert:*:1207:1207:TelAlert Paging on nnm & eftia:/tmp:/bin/true
mailadmin:*:1301:1302:Mail Admin Mail Account:/tmp:/bin/true
reporter:*:1303:110:SQL Reporter on DB:/usr/local/reporter:/bin/csh
These entries do not have an equivalent on the shadow file.
They are used for applications only, no real person is using them to login.
What does * mean and why they do not use x in the password field?
Is this a security breach?
Here are the replies:
From: Darren Dunham [mailto:ddunham@taos.com]
=============================================
* is simply an "invalid" password, so no one can log in to the account
directly.
x is simply a token that means 'go look in shadow'.
> Should we replace the * with an x?
Only if you create a shadow entry and put a '*' in the password slot.
Remember, the only reason for the separate shadow file is so that normal
users can't see the users' password hash. Since this user's password
hash is '*', there's nothing to decrypt. There is no vulnerable
password.
--
Darren Dunham ddunham@taos.com
Unix System Administrator Taos - The SysAdmin Company
Got some Dr Pepper? San Francisco, CA bay area
< Please move on, ...nothing to see here, please disperse >
From: Matthew Stier [mailto:Matthew.Stier@fnc.fujitsu.com]
==========================================================
It doesn't matter.
A encoded password entry will ALWAYS be 13 characters.
Since a blank password entry means the account has no password, a value has
to
be put into it. Since a valid encoded password is always 13 characters,
putting any non-13 character string in the password field will result in a
non-matchable string, and thus a locked account.
The asterisk character is typically used, since the encoding algorithm will
not
encode one. I actually any character, or string of characters that cannot be
the result of encoding any password will work.
Since the facility I work at is small, we do not reuse accountnames or
userids. To lock accounts, we use string of two asterisk, the date encoded
as
an 8 character string, and two more asterisks.
mstier:**20001123**:1234:1234:....
Thank you all,
Constantin Moldovan
GT Group Telecom
S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@sunmanagers.ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:23 CDT