Subject: Re: Adding support for commented-out password entries
To: Dr. Lex Wennmacher <wennmach@geo.Uni-Koeln.DE>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 10/06/2002 17:59:06
[ On Sunday, October 6, 2002 at 21:25:49 (+0200), Dr. Lex Wennmacher wrote: ]
> Subject: Adding support for commented-out password entries
>
> Attached are modifications that add support for commented-out
> entries in master.passwd. With these changes applied, entries
> in master.passwd can be safely commented out by prepending '#:#',
> leaving all other fields (including password and shell field)
> unchanged.

Interesting, but I'm not sure what the purpose of such a very
non-standard change could be.

If the account in question still owns system objects, such as files or
directories, then it's really not a good idea to effectively remove the
entry from the passwd files.  Besides, leaving the entry intact allows
standard tools to extract information about the account.  Generally
speaking there are far fewer risks to leaving an account intact, even
with a valid shell, then there are to commenting it out entirely.  Even
with the shell intact the only risks are to careless or naive superusers
who might foolishly 'su' to the locked account without understanding the
potential risks this entails.  (Of course if the administrator has
installed additional third-party authentication and authorization tools
which do not use the pw_passwd field, or at least don't check it for
validity, could still allow access, but that's an entirely separate
issue -- such tools are buggy and should be fixed before being used.)

Instead the account should be locked.  This is trivial to do without
losing any data from any field.  Simply prepend a string which can never
represent a valid encrypted password to the pw_passwd field.  Usual
choices which work with all currently supported password cipher schemes
are "*LK*" or "*LOCKED*" (or some self-documenting variation), just like
this:

	woods:*LOCKED*W9XCLR8VNLTsY:1000:100::0:0:Greg A. Woods,Planix,,:/home/woods:/bin/ksh
	
(that's obviously not my real pw_passwd string -- though if anyone does
crack it I'd be interested in knowing what the clear-text is!  :-)

No code changes are necessary for the above to work, and indeed the same
scheme works on all unix-like systems, right from V7 forward, and has
been widely accepted as a common practice for many years now too.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>