[SOLVED] Re: OpenSSH public key problem with Solaris 10 and LDAP users?

Douglas E. Engert deengert at anl.gov
Fri Aug 17 06:47:21 EST 2007 


Jefferson Ogata wrote:
> On 08/16/07 16:51, Douglas E. Engert wrote:
>> No, I expect it to be NP not *NP*.
> 
> If you don't want a user to have a valid crypt password, you should
> always include a character that cannot occur in a crypt password; this
> assures that there is no possible string that could hash to the target
> value, without relying on any specifics about the crypt algorithm other
> than its target charset. The standard character for this is *, although
> ! is used as well. The traditional old-timer way to make a user with no
> password is to use * alone in the password field. Solaris likes *NP* for
> this, and also uses *LK*, if I recall correctly, to designate a locked user.

Well NP is not a valid crypt string either as it is only 2 characters long,
and crypt always returns 13 characters.

> 
> This is sysadmin 101, people.

Its more like a sysadmin 401. This has changed over the years with different
OSs using different conventions. Including no use of the account at all if it
starts with a "*".  NP has always worked...

The OpenSSH src/sshd.0 has:

>      Regardless of the authentication type, the account is checked to ensure
>      that it is accessible.  An account is not accessible if it is locked,
>      listed in DenyUsers or its group is listed in DenyGroups .  The defini-
>      tion of a locked account is system dependant. Some platforms have their
>      own account database (eg AIX) and some modify the passwd field ( `*LK*'
>      on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
>      leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux).  If there is
>      a requirement to disable password authentication for the account while
>      allowing still public-key, then the passwd field should be set to some-
>      thing other than these values (eg `NP' or `*NP*' ).
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list