d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Document the current practice of locking and disabling accounts

Browse Source 
through passwd(5).
This commit is contained in:
Yaroslav Tykhiy 2007-05-08 10:22:45 +00:00
parent e43719c485
commit f5510010b5
1 changed files with 32 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
share/man/man5/passwd.5
View File

@ -35,7 +35,7 @@
.\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 .\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd February 8, 2005 .Dd May 8, 2007
.Dt PASSWD 5 .Dt PASSWD 5
.Os .Os
.Sh NAME .Sh NAME
@ -106,18 +106,6 @@ has the class, change, and expire fields removed, and the password
field replaced by a field replaced by a
.Ql * .Ql *
character. character.
In the
.Nm master.passwd
file, a password of
.Ql *
is used to indicate that no one can ever log into that account
using password authentication (logins through other forms of
authentication, i.e.\& using
.Xr ssh 1
keys, will still work).
The field only contains encrypted passwords, and
.Ql *
can never be the result of encrypting a password.
.Pp .Pp
The The
.Ar name .Ar name
@ -141,7 +129,10 @@ No field may contain a
colon (``:'') as this has been used historically to separate the fields colon (``:'') as this has been used historically to separate the fields
in the user database. in the user database.
.Pp .Pp
The password field is the In the
.Nm master.passwd
file,
the password field is the
.Em encrypted .Em encrypted
form of the password, see form of the password, see
.Xr crypt 3 . .Xr crypt 3 .
@ -149,10 +140,30 @@ If the
.Ar password .Ar password
field is empty, no password will be required to gain access to the field is empty, no password will be required to gain access to the
machine. machine.
This is almost invariably a mistake. This is almost invariably a mistake, so authentication components
Because these files contain the encrypted user passwords, they should such as PAM can forcibly disallow remote access to passwordless accounts.
Because this file contains the encrypted user passwords, it should
not be readable by anyone without appropriate privileges. not be readable by anyone without appropriate privileges.
.Pp .Pp
A password of
.Ql *
indicates that
password authentication is disabled for that account
(logins through other forms of
authentication, e.g., using
.Xr ssh 1
keys, will still work).
The field only contains encrypted passwords, and
.Ql *
can never be the result of encrypting a password.
.Pp
An encrypted password prefixed by
.Ql *LOCKED*
means that the account is temporarily locked out
and no one can log into it using any authentication.
For a convenient command-line interface to account locking, see
.Xr pw 8 .
.Pp
The group field is the group that the user will be placed in upon login. The group field is the group that the user will be placed in upon login.
Since this system supports multiple groups (see Since this system supports multiple groups (see
.Xr groups 1 ) .Xr groups 1 )
@ -222,6 +233,10 @@ If there is nothing in the
field, the Bourne shell field, the Bourne shell
.Pq Pa /bin/sh .Pq Pa /bin/sh
is assumed. is assumed.
The conventional way to disable logging into an account once and for all,
as it is done for system accounts,
is to set its shell to
.Xr nologin 8 .
.Sh HESIOD SUPPORT .Sh HESIOD SUPPORT
If If
.Sq dns .Sq dns
@ -358,6 +373,7 @@ BEGIN { FS = ":"}
.Xr login.conf 5 , .Xr login.conf 5 ,
.Xr netgroup 5 , .Xr netgroup 5 ,
.Xr adduser 8 , .Xr adduser 8 ,
.Xr nologin 8 ,
.Xr pw 8 , .Xr pw 8 ,
.Xr pwd_mkdb 8 , .Xr pwd_mkdb 8 ,
.Xr vipw 8 , .Xr vipw 8 ,