I've got 2 replies that were very useful.
Many thanks to Darren Dunham and Matthew Stier.
My original post:
Environment: Sun Solaris 7 using NIS
On the passwd file for NIS (not on the local passwd file, here all entries
have x in the password field)
there are some entries which have an * instead of x in the password field
telalert:*:1207:1207:TelAlert Paging on nnm & eftia:/tmp:/bin/true
mailadmin:*:1301:1302:Mail Admin Mail Account:/tmp:/bin/true
reporter:*:1303:110:SQL Reporter on DB:/usr/local/reporter:/bin/csh
These entries do not have an equivalent on the shadow file.
They are used for applications only, no real person is using them to login.
What does * mean and why they do not use x in the password field?
Is this a security breach?
Here are the replies:
From: Darren Dunham [mailto:firstname.lastname@example.org]
* is simply an "invalid" password, so no one can log in to the account
x is simply a token that means 'go look in shadow'.
> Should we replace the * with an x?
Only if you create a shadow entry and put a '*' in the password slot.
Remember, the only reason for the separate shadow file is so that normal
users can't see the users' password hash. Since this user's password
hash is '*', there's nothing to decrypt. There is no vulnerable
-- Darren Dunham email@example.com Unix System Administrator Taos - The SysAdmin Company Got some Dr Pepper? San Francisco, CA bay area < Please move on, ...nothing to see here, please disperse >
From: Matthew Stier [mailto:Matthew.Stier@fnc.fujitsu.com] ==========================================================
It doesn't matter.
A encoded password entry will ALWAYS be 13 characters.
Since a blank password entry means the account has no password, a value has to be put into it. Since a valid encoded password is always 13 characters, putting any non-13 character string in the password field will result in a non-matchable string, and thus a locked account.
The asterisk character is typically used, since the encoding algorithm will not encode one. I actually any character, or string of characters that cannot be the result of encoding any password will work.
Since the facility I work at is small, we do not reuse accountnames or userids. To lock accounts, we use string of two asterisk, the date encoded as an 8 character string, and two more asterisks.
Thank you all, Constantin Moldovan
GT Group Telecom S U BEFORE POSTING please READ the FAQ located at N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq . and the list POLICY statement located at M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy A To submit questions/summaries to this list send your email message to: N firstname.lastname@example.org A To unsubscribe from this list please send an email message to: G email@example.com E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers firstname.lastname@example.org L To view an archive of this list please visit: I http://www.latech.edu/sunman.html S T
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:23 CDT