Subject: Re: ***?
To: None <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 04/13/2002 14:58:39
[ On Friday, April 12, 2002 at 21:32:07 (-0400), gabriel rosenkoetter wrote: ]
> Subject: Re: ***?
> On Fri, Apr 12, 2002 at 07:17:10PM -0500, Peter Seebach wrote:
> > So, system accounts that have no password use '*'. Some pkgsrc accounts use
> > '*************'.
> > Why?
> > '*' is correct and unambiguous. What's this with the 13 *'s? I've also seen
> > other admins copying this in new accounts. Argh!
> And here I thought *LK* was correct
What's "correct" for a locked account is anything that the password
matching algorithm currently in use on a given host cannot possibly ever
succussfully match. That's the only safe assumption you can ever make.
Traditionally this has meant any string that is not exactly 13
characters long _and_ does not consist of only the 64 characters
represented by this pattern: [./0-9A-Za-z]
(In NetBSD-current the possible values of the pw_passwd field depend on
the configuration of /etc/passwd.conf and md5 formats are allowed.)
> so that sshd would know to also
> not log the user in. (Or is that just that *NP* will tell it that it
> *is* allowed to log the user in, and anything else starting with a *
> will keep them out?)
SSH has been broken and fixed and broken several times. I supplied them
patches way back before the 1.2.20 days, and then again for 1.2.20. I
don't remember at the moment whether I fixed it for 3.1.0 or not (and
I'm to lazy to check :-)
Greg A. Woods
+1 416 218-0098; <email@example.com>; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>