On Mon, Feb 11, 2013 at 10:11:25PM +0100, André Stöbe wrote: > Antoine Jacoutot wrote: > > This diff adds 2 new options to usermod(8): > > -U to unlock a user's password > > -Z to lock a user's password > > Today I was working with these two switches and really got confused. > I've tested the following with snapshots from Jan 11 and 5.3-beta. > > I've got a user with 13 asterisks in the password field as described in > passwd(5): > test:*************:1002:1002::0:0:,,,:/home/test:/bin/ksh > > After locking the account with "usermod -Z test": > test:*************:1002:1002::0:0:,,,:/home/test:/bin/ksh- > > After unlocking the account with "usermod -U test": > test:************:1002:1002::0:0:,,,:/home/test:/bin > > 1) The login shell is broken. > 2) The password field consists of 12 asterisks. I'd expect it to be just > the same as it was before unlocking the account. This propably makes > security(8) complain, and more importantly, it never adds an asterisk > when locking but always removes an asterisk when unlocking, so the > account would be accessible without a password after some lock-unlock > cycles (at least the shell is still broken): > test::1002:1002::0:0:,,,:/home/test:/bin > > Can't tell if this problem relates to users with normal password > authentication. I did only test users with 13 asterisks in the password > field.
I'll have a look. -- Antoine
