*lock* considered empty?
Darren J Moffat
Darren.Moffat at Sun.COM
Tue Oct 21 06:50:54 EST 2003
On Sat, 18 Oct 2003, Jeff A. Earickson wrote:
> This logic seems really fragile. For crypt() based passwords,
What is fragile is the method of overloading the password field with
account status information. Ideally locked should have been a separate
boolean all together. In some systems it could be implemented that way
(eg if using things like PAM or BSD-Auth) but history means that at least
for the forseable future there is that overloading.
> I would think that "anything not 13 chars long is locked". Isn't
> MD5 also a fixed length too, with the same idea?
An equally fragile assumption. For example on Solaris 9 update 2 there
is the following:
NP - Not Participating in UNIX authentication
- Used to allow an account to run cron jobs or login with SSH
public-key but not with a UNIX password.
*LK* - Locked
Can not be authenticated to with UNIX and should not be used
for running any processes.
It is really *LK* as a prefix that we check not just "*LK*".
*NP* - No permission to read the password field (NIS+ or LDAP)
$1$.... - BSD MD5 crypt passwords
$2a$... - BSD Blowfish crypt passwords
$md5$.. - Sun (Alec Muffett) MD5 crypt passwords
The crypt(3c) [ and crypt_gensalt(3c) ] interface is extensible (without
requring access to the source) via crypt.conf(4).
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list