Subject: Re: ***?
To: None <>
From: Greg A. Woods <>
List: current-users
Date: 04/13/2002 14:58:39
[ On Friday, April 12, 2002 at 21:32:07 (-0400), gabriel rosenkoetter wrote: ]
> Subject: Re: ***?
> On Fri, Apr 12, 2002 at 07:17:10PM -0500, Peter Seebach wrote:
> > So, system accounts that have no password use '*'.  Some pkgsrc accounts use
> > '*************'.
> > 
> > Why?
> > 
> > '*' is correct and unambiguous.  What's this with the 13 *'s?  I've also seen
> > other admins copying this in new accounts.  Argh!
> Huh.
> And here I thought *LK* was correct

What's "correct" for a locked account is anything that the password
matching algorithm currently in use on a given host cannot possibly ever
succussfully match.  That's the only safe assumption you can ever make.

Traditionally this has meant any string that is not exactly 13
characters long _and_ does not consist of only the 64 characters
represented by this pattern:  [./0-9A-Za-z]

(In NetBSD-current the possible values of the pw_passwd field depend on
the configuration of /etc/passwd.conf and md5 formats are allowed.)

> so that sshd would know to also
> not log the user in. (Or is that just that *NP* will tell it that it
> *is* allowed to log the user in, and anything else starting with a *
> will keep them out?)

SSH has been broken and fixed and broken several times.  I supplied them
patches way back before the 1.2.20 days, and then again for 1.2.20.  I
don't remember at the moment whether I fixed it for 3.1.0 or not (and
I'm to lazy to check :-)

								Greg A. Woods

+1 416 218-0098;  <>;  <>;  <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>