Suse's "passwd" utility has a bit of undesired behaviour. Most of my users don't have entries in shadow, they depend on pam_krb5 for authentication. So /etc/shadow is very short, it only has lines for root and a few sysadmins. I want for everyone else (system accounts like FTP and regular users) to be denied even the possibility of a locally stored password. Now in the past (under solaris) passwd would grumble and fail unless that username already had a line present in shadow. THIS passwd just bungs the encrypted string into /etc/passwd! Argh! Nobody ever wants to go back to un-shadowed passwords. How can I turn off this unwantedly obliging behaviour? TIA, michaelj -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
* Michael.James@csiro.au wrote on Mon, Sep 29, 2003 at 12:36 +1000:
Most of my users don't have entries in shadow, they depend on pam_krb5 for authentication.
useradd creates them automatically.
I want for everyone else (system accounts like FTP and regular users) to be denied even the possibility of a locally stored password.
I do not understand what you mean. Do you want to deny them (from what, BTW?) even if they have a valid password?
THIS passwd just bungs the encrypted string into /etc/passwd! Argh! Nobody ever wants to go back to un-shadowed passwords. How can I turn off this unwantedly obliging behaviour?
Use as intended :-) To lock an account, try passwd -l username. Maybe you can configure via PAM what you wish; if you want to restrict shell access you can configure OpenSSH quite a lot. Ohh, and finally, feel free to patch passwd or create your own one, it's not that difficult, but I would not recommend that... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi, now see, this is the default how passwd works under Linux. (Not only SuSE ;-)) If you want to restrict use of passwd to certain users, you should play with chmod and chown. Not with the files. Greetings Dirk Michael.James@csiro.au schrieb:
Suse's "passwd" utility has a bit of undesired behaviour.
Most of my users don't have entries in shadow, they depend on pam_krb5 for authentication.
So /etc/shadow is very short, it only has lines for root and a few sysadmins.
I want for everyone else (system accounts like FTP and regular users) to be denied even the possibility of a locally stored password.
Now in the past (under solaris) passwd would grumble and fail unless that username already had a line present in shadow.
THIS passwd just bungs the encrypted string into /etc/passwd! Argh! Nobody ever wants to go back to un-shadowed passwords. How can I turn off this unwantedly obliging behaviour?
TIA, michaelj
On Mon, 29 Sep 2003 05:41 pm, Michael James asked: When "passwd" runs for a user who doesn't have a line in /etc/shadow it just bungs the encrypted string into /etc/passwd! Argh! Nobody ever wants to go back to un-shadowed passwords. How can I turn off this unwantedly obliging behaviour?
On Mon, 29 Sep 2003 05:41 pm, Dirk Schreiner wrote:
now see, this is the default how passwd works under Linux. (Not only SuSE ;-))
Well, IMNSHO this is a Bad Thing (TM). In the absence of a shadow entry for the user in question passwd could grumble and fail, or it could create one. But it should NEVER put a password in a world readable file not even after hashing it. That's a throwback to before 1995.
If you want to restrict use of passwd to certain users, you should play with chmod and chown. I've already done this, and wrapped passwd in a script that gives users more explaination than just "permission denied"
-- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
participants (3)
-
Dirk Schreiner -
Michael.James@csiro.au -
Steffen Dettmer