On 26/03/25 20:55, Daniel Jakots wrote:
> On Thu, 27 Mar 2025 10:55:13 +1100, Jon Higgs <j...@altos.au> wrote:
>
> > Is there any way to control this? Or am I holding something wrong, and
> > these warnings are an artifact of that.
>
> passwd(5) says
>
> The password field is the encrypted form of the password. If the
> password field is empty, no password will be required to gain
> access to the machine. This is almost invariably a mistake. By
> convention, accounts that are not intended to be logged in to
> (e.g. bin, daemon, sshd) only contain a single asterisk in the
> password field. Note that there is nothing special about ???*???, it
> is just one of many characters that cannot occur in a valid
> encrypted password (see crypt(3)). Similarly, login accounts not
> allowing password authentication but allowing other authentication
> methods, for example public key authentication, conventionally
> have 13 asterisks in the password field. Because master.passwd
> contains the encrypted user passwords, it should not be readable
> by anyone without appropriate privileges.
>
> so just use 13 asterisks?
>
> Cheers,
> Daniel
>
Thanks Daniel,
I think this might fall onto the almost side of "almost invariably a
mistake". As I understand it, when /usr/local/bin/gotsh is the user's
shell, it enforces access control according to the rules from
gotd.conf(5).
The gotsh(1) says:
The anonymous user account should have a publicly known
password, or can be set up with an empty password in which case
the user's vipw(8) entry would look similar to this example:
anonymous::1002:1002::0:0:Anonymous:/home/anonymous:/usr/local/bin/gotsh
I've also confirmed that changing password to * as suggested by the docs
prevents any anonymous access using the git user. It's not the desired
behaviour.
--
Cheers,
Jon
