From owner-freebsd-doc Mon Jan 15 16:10:25 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E1FE737B6A1 for ; Mon, 15 Jan 2001 16:10:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0G0A1v39547; Mon, 15 Jan 2001 16:10:01 -0800 (PST) (envelope-from gnats) Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 31D1A37B6A0 for ; Mon, 15 Jan 2001 16:09:25 -0800 (PST) Received: (from roelof@localhost) by nisser.com (8.9.3/8.9.2) id BAA58909; Tue, 16 Jan 2001 01:09:24 +0100 (CET) (envelope-from roelof) Message-Id: <200101160009.BAA58909@nisser.com> Date: Tue, 16 Jan 2001 01:09:24 +0100 (CET) From: roelof@nisser.com Reply-To: roelof@eboa.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: docs/24363: shadow passwd's Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 24363 >Category: docs >Synopsis: lack of explanation >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 15 16:10:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Roelof Osinga >Release: FreeBSD 3.4-STABLE i386 >Organization: eBOA/Nisser >Environment: FreeBSD 4.2-RELEASE >Description: I don't get it! >How-To-Repeat: By Reading The F. Manual(s): http://www.freebsd.org/handbook/securing-freebsd.html : An indirect way to secure the root account is to secure your staff accounts by using an alternative login access method and *'ing out the crypted password for the staff accounts. This way an intruder may be able to steal the What's "*'ing"? Check 'man 5 passwd': The password field is the encrypted form of the password. If the password field is empty, no password will be required to gain access to the machine. This is almost invariably a mistake. Because these files contain the encrypted user passwords, they should not be readable by any- one without appropriate privileges. Administrative accounts have a pass- word field containing an asterisk `*' which disallows normal logins. If you don't know what it's about, this won't teach you much. So you want to secure. Fine. But how? Change any ol' pwd into a '*'? Mebbe? Mebbe not. Who is to say? I think it would be a good idea to explicitly state what is needed. With a link or other kind of reference to the man.part in question. >Fix: Some sort of partial rewrite. Maybe something that would show up in, say, 'apropos shadow' or so. Currently it says enough if you know what it's about. But if you don't, well, ... >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message