Date: Tue, 16 Jan 2001 01:09:24 +0100 (CET) From: roelof@nisser.com To: FreeBSD-gnats-submit@freebsd.org Subject: docs/24363: shadow passwd's Message-ID: <200101160009.BAA58909@nisser.com>
next in thread | raw e-mail | index | archive | help
>Number: 24363 >Category: docs >Synopsis: lack of explanation >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 15 16:10:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Roelof Osinga >Release: FreeBSD 3.4-STABLE i386 >Organization: eBOA/Nisser >Environment: FreeBSD 4.2-RELEASE >Description: I don't get it! >How-To-Repeat: By Reading The F. Manual(s): http://www.freebsd.org/handbook/securing-freebsd.html : An indirect way to secure the root account is to secure your staff accounts by using an alternative login access method and *'ing out the crypted password for the staff accounts. This way an intruder may be able to steal the What's "*'ing"? Check 'man 5 passwd': The password field is the encrypted form of the password. If the password field is empty, no password will be required to gain access to the machine. This is almost invariably a mistake. Because these files contain the encrypted user passwords, they should not be readable by any- one without appropriate privileges. Administrative accounts have a pass- word field containing an asterisk `*' which disallows normal logins. If you don't know what it's about, this won't teach you much. So you want to secure. Fine. But how? Change any ol' pwd into a '*'? Mebbe? Mebbe not. Who is to say? I think it would be a good idea to explicitly state what is needed. With a link or other kind of reference to the man.part in question. >Fix: Some sort of partial rewrite. Maybe something that would show up in, say, 'apropos shadow' or so. Currently it says enough if you know what it's about. But if you don't, well, ... >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101160009.BAA58909>