Subject: Re: "daily insecurity output" annoyance
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Simon J. Gerraty <email@example.com>
Date: 01/25/2001 23:41:33
Steven M. Bellovin writes:
>I have similar complaints. How about "nopw" being the magic string
>you're looking for? Better yet, "*nopw", with "*" meaning "/etc/security
>should ignore this; the remaining characters may be significant to
>something else". That way, we can "*files-only" for an ownership id,
>"*ssh-only", "*anon-ftp", etc.
Solaris uses :NP: for no passwd. But I like the idea of *somthing.
I've been using the following at the start of the passwd field
for quite some time - ie. various audit scripts frob the passwd file:
*IDLE* the account was locked due to inactivity.
*LOCKED* the account is valid but the user has been locked out for
some reason - eg. known to be on leave for 2 months.
*WEAK* the account was locked because the passwd was guessed by crack.
Users only have to ring up to get their account unlocked a couple
of times to get the hint.
On some systems, were locking users out for weak passwds isn't accepted
(I don't always get to make the rules ;-), a post processing step the
*WEAK* accounts are re-activated but the passwd set to expire on next
Note that each of the above is prepended to the encrypted passwd - so
that the passwd can be reinstated by simply removing the *FOO*
For accounts which should never have a valid passwd I like the idea
of *files-only etc.