Subject: Re: ***?
To: None <current-users@netbsd.org>
From: Geoff Adams <gadams@avernus.com>
List: current-users
Date: 04/13/2002 03:24:27
On Saturday, April 13, 2002, at 12:45 AM, Charles Shannon Hendrix wrote:

> On Fri, Apr 12, 2002 at 07:17:10PM -0500, Peter Seebach wrote:
>> '*' is correct and unambiguous.  What's this with the 13 *'s?  I've 
>> also seen
>> other admins copying this in new accounts.  Argh!
>
> This is a new thing, or at least, it never used to happen on any of
> my systems.  I don't know the exact date this changed, but I know my
> 1.4.x systems didn't do it, and I don't believe my first few 1.5.x
> systems did either.
>
> It's annoying, and I don't see the point of it.

My guess is that it's an attempt to avoid the warnings generated by the 
nightly security script about accounts with no passwords set, but with 
valid shells. Thirteen "*"s would mean "This user account is active, but 
doesn't use a conventional password for authentication." The traditional 
single "*", in contrast, would then only be used to mean "This account 
is not a login account."

Of course, when they create a new account, most people would probably 
*want* that security script warning, until they either choose not to use 
conventional passwords, or a password is set. And if not, then they 
might want to set "check_passwd=NO" in /etc/security.conf (although that 
has the side effect of turning off all the other passwd file checks, 
too).

On the other hand, on my systems, user accounts do not have a 
conventional password (I use Kerberos), so I find myself pulling tricks 
like this in my password files. So, the situation is annoying in other 
ways, too. And I suspect more and more sites are using authentication 
mechanisms other than conventional /etc/passwd passwords (OTP, ssh with 
public keys, Kerberos, etc.)

- Geoff