On 25 Jan 2001, Perry E. Metzger wrote:

> Every day I get reports telling me crud like:
> 
> 	Login toor is off but still has a valid shell (/bin/sh)
> 	Login backup is off but still has a valid shell (/bin/sh)
> 
> etc.
> 
> I want these accounts around -- I just want the password based login
> capability disabled.
> 
> Right now, as it stands, /etc/security prints that message out no
> matter what if field two of the password file is not thirteen or
> twenty characters long. (What is twenty characters for?)

I think this is for using alternative encryption (we can use DES and one
other algorithm, right?).

> I propose that we distinguish between accounts that are not password
> loginable and accounts that are off by using different characters for
> the second field -- something other than * -- and that I then hack the
> /etc/security script to properly note this distinction and ignore the
> accounts that are intentionally on but password disabled.
> 
> Comments?

Agreed, but we'd also need the capability to see if they've changed.  If
the box gets cracked, and backup becomes a loginable user, I'd definitely
want to see that (even though at that point, the cracker has probably
comprimised the system to the point where you can't trust the security
output).  If only from a management point of view, the security and daily
output scripts are good for checking basic changes on the box (such as the
passwd file, etc...).

I'd agree with the idea that in general, a box as configured within
reason should not produce warnings or anomalous results in the daily
outputs, especially when it's a stock configuration right out of base.tgz
and etc.tgz

Just my $0.02

-
Jon
 --------------------------------------------------------------------
 - The opinions expressed are not necesarily those of my employer.
 - USATODAY.com latest Health news for 12/4/2000 at 2:10 p.m.:
    Tobacco firm backs lung cancer test: Spaz the cat will never again
    want for medication to relieve his constipation.