Date: Wed, 30 Dec 2009 13:20:53 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Anton Shterenlikht <mexas@bristol.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: does toor have passwd or not? According to logins -p: yes Message-ID: <4B3B53B5.7040601@infracaninophile.co.uk> In-Reply-To: <20091230123341.GC36440@mech-cluster241.men.bris.ac.uk> References: <20091230123341.GC36440@mech-cluster241.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig952CB56F795633A667814939
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Anton Shterenlikht wrote:
> I was checking for passwordless accounts with 'logins -p'.
> None was found. However, I understand toor doesn't have
> passwd by default, and I never touched it, so I expected
> logins -p to show toor, but it didn't.
>=20
> Just to check I also tried to su toor with root passwd - no access.=20
>=20
> Please can somebody clarify if toor does indeed have
> passwd.
By default, the account is locked. Look at /etc/master.passwd -- the too=
r
entry probably looks like this:
toor:*:0:0::0:0:Bourne-again Superuser:/root:
That '*' in the second field means there's simply no possibility of login=
using a password. In this case, everything is fine.
If it's a string of dollar signs and alphanumerics like this:
$1$salt$qJH7.N4xYta3aEG/dfqo/0
then the account does have a real password. This is probably OK, if you =
want
to be able to log in as toor directly. [Before anyone gets excited and
tries to break into any of my machines, no that isn't a real crypted pass=
word
from my master.passwd file. It's created like this:
% perl -le 'print crypt("password", "\$1\$salt\$")'
]
If there's nothing in the second field, then you have a problem, as that =
means
the account has a NULL password (ie. just hit return when prompted for a =
password
-- this is what 'logins -p' detects). That may or may not actually work t=
o get
into the toor account depending on how you're trying to authenticate and =
on various other security settings eg. in /etc/pam.d, but even so it is s=
omething that should
be fixed pronto. Use vipw(8) to edit master.passwd and insert a * -- vip=
w will=20
regenerate /etc/passwd and pwd.db automatically for you.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig952CB56F795633A667814939
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAks7U7sACgkQ8Mjk52CukIzpNgCfZpG8bivJ83pzAYryfc0ebBgO
FH8An0wB7AIsqnnkS/QPro4jxr0HSk8D
=moKT
-----END PGP SIGNATURE-----
--------------enig952CB56F795633A667814939--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B3B53B5.7040601>