On Thu, 10 Mar 2022 at 21:18:30 +0100, Marc Haber wrote:
> I have re-read Simon's words and still have the interpretation that
> unlocking an account that has been created with -disabled-login will
> allow login without password, making the account completely open.
That's what I thought would happen, but now that I try it, in fact
usermod has a guard against this (at least in sid).
Steps to reproduce (on a disposable machine):
adduser --system --disabled-password disabled-password
adduser --system --disabled-login disabled-login
adduser --system --disabled-login --disabled-password disabled-both
grep disabled /etc/shadow
usermod -U disabled-password
usermod -U disabled-login
usermod -U disabled-both
Results:
- adduser sets the password column in /etc/shadow to '*' for
disabled-password and '!' for the others
- usermod -U has no effect on disabled-password
- For the other two, usermod -U prints:
usermod: unlocking the user's password would result in a passwordless account.
You should set a password with usermod -p to unlock this user's password.
And while I'm testing this: if I change the system accounts' shells
to /bin/bash and set up a ssh authorized key, both '*' and '!' allow
ssh login.
smcv
