In message <87elxr8yth.fsfsnark.piermont.com>, "Perry E. Metzger" writes:
>
>Every day I get reports telling me crud like:
>
> Login toor is off but still has a valid shell (/bin/sh)
> Login backup is off but still has a valid shell (/bin/sh)
>
>etc.
>
>I want these accounts around -- I just want the password based login
>capability disabled.
>
>Right now, as it stands, /etc/security prints that message out no
>matter what if field two of the password file is not thirteen or
>twenty characters long. (What is twenty characters for?)
>
>I propose that we distinguish between accounts that are not password
>loginable and accounts that are off by using different characters for
>the second field -- something other than * -- and that I then hack the
>/etc/security script to properly note this distinction and ignore the
>accounts that are intentionally on but password disabled.
>
>Comments?

I have similar complaints. How about "nopw" being the magic string
you're looking for? Better yet, "*nopw", with "*" meaning "/etc/security
should ignore this; the remaining characters may be significant to
something else". That way, we can "*files-only" for an ownership id,
"*ssh-only", "*anon-ftp", etc.

                --Steve Bellovin, http://www.research.att.com/~smb

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]