FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 10-23-2008, 11:38 AM
"Mertens, Bram"
 
Default "Alternate authentication scheme in use" by certain system accounts

Hi

As part of our effort to become (J-)SOX compliant my manager had to
review a list of system user accounts on our systems.

One of his remarks was that he believed the games user account (amongst
others) should not exist on our systems. I explained him that this is a
default user account (it is in the initial passwd file of the setup
package) and that it was locked so it cannot be used to access the
system.

However when I check the account on several of our systems (RHEL3,4,5,
Fedora9 and even RH9) I do not get the result I expected from passwd -S:

# passwd -S games
Alternate authentication scheme in use.

Other accounts like mail also return this state whereas accounts like
rpc do return the "Password locked." as I expected:
# passwd -S rpc
Password locked.

The difference between these accounts is that for those accounts that
are locked the password field in /etc/shadow contains "!!" as described
in the man page of a.o. passwd. The accounts for which passwd reports
"Alternate authentication scheme in use" have an asterisk "*" in the
password field:
# grep "games:" /etc/passwd /etc/shadow
/etc/passwd:games:x:12:100:games:/usr/games:/sbin/nologin
/etc/shadow:games:*:14133:0:99999:7:::

Locking the accounts with "usermod -L" changes the password field of
/etc/shadow to "!*" upon which passwd -S reports that the account is
locked:
# usermod -L games
# echo $?
0
# passwd -S games
Password locked.
# grep "games:" /etc/passwd /etc/shadow
/etc/passwd:games:x:12:100:games:/usr/games:/sbin/nologin
/etc/shadow:games:!*:14061:0:99999:7:::

The appears to apply to all user accounts of the setup package.

What does the asterisk (*) in the password field mean? Can these
accounts also be considered locked? Or does it make sense (as the NSA's
"Guide to the Secure Configuration of Red Hat enterprise Linux 5"
suggests) to lock all these accounts?

And if it makes sense to lock these accounts wouldn't it be better to
update the setup package so this is the default?

Kind regards

Bram



Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
VAT BE 0406.024.281, RPR Mechelen, ING 310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 09:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org