Subject: Re: ***?
To: None <firstname.lastname@example.org>
From: Geoff Adams <email@example.com>
Date: 04/13/2002 03:24:27
On Saturday, April 13, 2002, at 12:45 AM, Charles Shannon Hendrix wrote:
> On Fri, Apr 12, 2002 at 07:17:10PM -0500, Peter Seebach wrote:
>> '*' is correct and unambiguous. What's this with the 13 *'s? I've
>> also seen
>> other admins copying this in new accounts. Argh!
> This is a new thing, or at least, it never used to happen on any of
> my systems. I don't know the exact date this changed, but I know my
> 1.4.x systems didn't do it, and I don't believe my first few 1.5.x
> systems did either.
> It's annoying, and I don't see the point of it.
My guess is that it's an attempt to avoid the warnings generated by the
nightly security script about accounts with no passwords set, but with
valid shells. Thirteen "*"s would mean "This user account is active, but
doesn't use a conventional password for authentication." The traditional
single "*", in contrast, would then only be used to mean "This account
is not a login account."
Of course, when they create a new account, most people would probably
*want* that security script warning, until they either choose not to use
conventional passwords, or a password is set. And if not, then they
might want to set "check_passwd=NO" in /etc/security.conf (although that
has the side effect of turning off all the other passwd file checks,
On the other hand, on my systems, user accounts do not have a
conventional password (I use Kerberos), so I find myself pulling tricks
like this in my password files. So, the situation is annoying in other
ways, too. And I suspect more and more sites are using authentication
mechanisms other than conventional /etc/passwd passwords (OTP, ssh with
public keys, Kerberos, etc.)