No subject
Tue Nov 13 08:16:38 EST 2012
If the password field contains some string that is not a valid
result of crypt(3), for instance ! or *, the user will not be able to use a
unix password to log in (but the user
may log in the system by other means).
This field may be empty, in which case no passwords are required
to authenticate as the specified login name. However, some applications
which read the /etc/shadow file may
decide not to permit any access at all if the password field is
empty.
A password field which starts with a exclamation mark means that
the password is locked. The remaining characters on the line represent the
password field before the password was
locked.
A bit more digging and crypt is actually using sha512 on RHEL6. This can be
seen by the leading $6 in the shadow line. It also uses an 8-character
salt. That makes an 86 character hash string.
On Tue, Jul 30, 2013 at 3:05 PM, Scott Plante <splante at insightsys.com>wrote:
> Also, root can still su to an account with nologin using -s parameter:
>
> guinness:~ # grep statd /etc/passwd
> statd:x:493:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
> guinness:~ # grep statd /etc/shadow
> statd:!:15770::::::
> guinness:~ # su statd
> This account is currently not available.
> guinness:~ # su -s /bin/bash statd -c "id -a"
> uid=493(statd) gid=65534(nogroup) groups=65534(nogroup)
> guinness:~ # su -s /bin/bash - statd
> statd at guinness:~> pwd
> /var/lib/nfs
> statd at guinness:~> logout
> guinness:~ #
>
> This technique, especially with the -c param, is useful when writing
> /etc/init.d scripts to start/stop a service running as a service account
> with /sbin/nologin or /bin/false as a shell. That may be a bit old-school,
> as most of the init scripts seem to use startproc instead of su these days.
>
> OpenSUSE seems to populate /etc/shadow password with a single "!" instead
> of a double bang. I don't believe the bangs are special characters, but
> that no actual password will ever has into either one. You could probably
> just as well put "nope" in there. I see a lot of entries with "*" as the
> password and I expect it serves the same purpose.
>
> Scott
>
> ------------------------------
> *From: *"Jim Kinney" <jim.kinney at gmail.com>
> *To: *"Atlanta Linux Enthusiasts" <ale at ale.org>
> *Sent: *Tuesday, July 30, 2013 1:30:03 PM
>
> *Subject: *Re: [ale] Service account allows sudo but no login
>
> set account to be "disabled" by having password field in /etc/shadow to
> '!!'. The shell can be what ever is needed to start service. If the service
> needs no shell, set it to /sbin/nologin.
>
> eg.:
>
> # grep postgres /etc/passwd
> postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
> # grep postgres /etc/shadow
> postgres:!!:15824::::::
>
>
> No user named postgres can login BUT (only) root _can_ su - postgres since
> there is a shell.
>
> These accounts can't be su'ed to :
> # grep nologin /etc/passwd
> bin:x:1:1:bin:/bin:/sbin/nologin
> daemon:x:2:2:daemon:/sbin:/sbin/nologin
> adm:x:3:4:adm:/var/adm:/sbin/nologin
> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
>
> # su - bin
> This account is currently not available.
> # su - lp
> This account is currently not available.
>
>
>
>
> On Tue, Jul 30, 2013 at 12:28 PM, leam hall <leamhall at gmail.com> wrote:
>
>> Is there a good security practice for service accounts? The goal is that
>> an app can run as "myapp" but no one can login as myapp and myapp's
>> password does not expire.
>>
>> So far best practice seems to be having a regular shell and no password,
>> with specific people/groups allowed to sudo over.
>>
>> Thoughts?
>>
>> Leam
>>
>> --
>> Mind on a Mission <http://leamhall.blogspot.com/>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> --
> James P. Kinney III
> *
> *Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his own
> tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> *
> http://electjimkinney.org
> http://heretothereideas.blogspot.com/
> *
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
--
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
--001a11c3ecbc47dfe804e2bfb0f8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><div>For reasons unknown to me, RHEL uses '!!'=
; when a single '!' is good enough.<br></div><div><br></div>From ma=
n 3 shadow:<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 encrypted password<br>=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Refer to crypt=
(3) for details on how this string is interpreted.<br>
<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 If the pas=
sword field contains some string that is not a valid result of crypt(3), fo=
r instance ! or *, the user will not be able to use a unix password to log =
in (but the user<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 may log in the system by other means).<br>
<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 This field=
may be empty, in which case no passwords are required to authenticate as t=
he specified login name. However, some applications which read the /etc/sha=
dow file may<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 decide not to permit any access at all if the password field is empty.<=
br>
<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 A password=
field which starts with a exclamation mark means that the password is lock=
ed. The remaining characters on the line represent the password field befor=
e the password was<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 locked.<br><br>
<br></div><br><div><br></div><div>A bit more digging and crypt is actually =
using sha512 on RHEL6. This can be seen by the leading $6 in the shadow lin=
e. It also uses an 8-character salt. That makes an 86 character hash string=
.<br>
</div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">O=
n Tue, Jul 30, 2013 at 3:05 PM, Scott Plante <span dir=3D"ltr"><<a href=
=3D"mailto:splante at insightsys.com" target=3D"_blank">splante at insightsys.com=
</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div><div style=3D"font-size:12pt;font-famil=
y:arial,helvetica,sans-serif"><font face=3D"arial, helvetica, sans-serif">A=
lso, root can still su to an account with nologin using -s parameter:</font=
><div>
<font face=3D"arial, helvetica, sans-serif"><br></font><div><div><font face=
=3D"courier new, courier, monaco, monospace, sans-serif">guinness:~ # grep =
statd /etc/passwd</font></div><div><font face=3D"courier new, courier, mona=
co, monospace, sans-serif">statd:x:493:65534:NFS statd daemon:/var/lib/nfs:=
/sbin/nologin</font></div>
<div><font face=3D"courier new, courier, monaco, monospace, sans-serif">gui=
nness:~ # grep statd /etc/shadow</font></div><div><font face=3D"courier new=
, courier, monaco, monospace, sans-serif">statd:!:15770::::::</font></div><=
div>
<font face=3D"courier new, courier, monaco, monospace, sans-serif">guinness=
:~ # su statd</font></div><div class=3D"im"><div><font face=3D"courier new,=
courier, monaco, monospace, sans-serif">This account is currently not avai=
lable.</font></div>
</div><div><font face=3D"courier new, courier, monaco, monospace, sans-seri=
f">guinness:~ # su -s /bin/bash statd -c "id -a"</font></div><div=
><font face=3D"courier new, courier, monaco, monospace, sans-serif">uid=3D4=
93(statd) gid=3D65534(nogroup) groups=3D65534(nogroup)</font></div>
<div><font face=3D"courier new, courier, monaco, monospace, sans-serif">gui=
nness:~ # su -s /bin/bash - statd</font></div><div><font face=3D"courier ne=
w, courier, monaco, monospace, sans-serif">statd at guinness:~> pwd</font><=
/div>
<div><font face=3D"courier new, courier, monaco, monospace, sans-serif">/va=
r/lib/nfs</font></div><div><font face=3D"courier new, courier, monaco, mono=
space, sans-serif">statd at guinness:~> logout</font></div><div><font face=
=3D"courier new, courier, monaco, monospace, sans-serif">guinness:~ #=C2=A0=
</font></div>
<div style=3D"font-family:arial,helvetica,sans-serif"><br></div><div style=
=3D"font-family:arial,helvetica,sans-serif">This technique, especially with=
the -c param, is useful when writing /etc/init.d scripts to start/stop a s=
ervice running as a service account with /sbin/nologin or /bin/false as a s=
hell. That may be a bit old-school, as most of the init scripts seem to use=
startproc instead of su these days.</div>
<div style=3D"font-family:arial,helvetica,sans-serif"><br></div><div style=
=3D"font-family:arial,helvetica,sans-serif">OpenSUSE seems to populate /etc=
/shadow password with a single "!" instead of a double bang. I do=
n't believe the bangs are special characters, but that no actual passwo=
rd will ever has into either one. You could probably just as well put "=
;nope" in there. I see a lot of entries with "*" as the pass=
word and I expect it serves the same purpose.</div>
<div style=3D"font-family:arial,helvetica,sans-serif"><br></div><div style=
=3D"font-family:arial,helvetica,sans-serif">Scott</div><div><br></div><hr s=
tyle=3D"font-family:arial,helvetica,sans-serif"><div style=3D"font-size:12p=
t;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-s=
erif;font-weight:normal">
<b>From: </b>"Jim Kinney" <<a href=3D"mailto:jim.kinney at gmail.=
com" target=3D"_blank">jim.kinney at gmail.com</a>><br><b>To: </b>"Atl=
anta Linux Enthusiasts" <<a href=3D"mailto:ale at ale.org" target=3D"_=
blank">ale at ale.org</a>><br>
<b>Sent: </b>Tuesday, July 30, 2013 1:30:03 PM<div class=3D"im"><br><b>Subj=
ect: </b>Re: [ale] Service account allows sudo but no login<br><br></div><d=
iv><div class=3D"h5"><div dir=3D"ltr"><div><div><div>set account to be &quo=
t;disabled" by having password field in /etc/shadow to '!!'. T=
he shell can be what ever is needed to start service. If the service needs =
no shell, set it to /sbin/nologin.<br>
<br></div>eg.:<br><br># grep postgres /etc/passwd<br>postgres:x:26:26:Postg=
reSQL Server:/var/lib/pgsql:/bin/bash<br># grep postgres /etc/shadow<br>pos=
tgres:!!:15824::::::<br><br><br></div>No user named postgres can login BUT =
(only) root _can_ su - postgres since there is a shell.<br>
<br></div>These accounts can't be su'ed to :<br># grep nologin /etc=
/passwd<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/s=
bin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spo=
ol/lpd:/sbin/nologin<br>
<br># su - bin<br>This account is currently not available.<br># su - lp<br>=
This account is currently not available.<br><br><br></div><div class=3D"gma=
il_extra"><br><br><div class=3D"gmail_quote">On Tue, Jul 30, 2013 at 12:28 =
PM, leam hall <span dir=3D"ltr"><<a href=3D"mailto:leamhall at gmail.com" t=
arget=3D"_blank">leamhall at gmail.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div>Is there a good securi=
ty practice for service accounts? The goal is that an app can run as "=
myapp" but no one can login as myapp and myapp's password does not=
expire. <br>
<br></div>So far best practice seems to be having a regular shell and no pa=
ssword, with specific people/groups allowed to sudo over. <br clear=3D"all"=
>
<div><div><br></div><div>Thoughts?<span><font color=3D"#888888"><br><br></f=
ont></span></div><span><font color=3D"#888888"><div>Leam<br><br></div><div>=
-- <br><div><a href=3D"http://leamhall.blogspot.com/" target=3D"_blank">Min=
d on a Mission</a></div>
</div></font></span></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href=3D"mailto:Ale at ale.org" target=3D"_blank">Ale at ale.org</a><br>
<a href=3D"http://mail.ale.org/mailman/listinfo/ale" target=3D"_blank">http=
://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href=3D"http://mail.ale.org/mailman/listinfo" target=3D"_blank">http://m=
ail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear=3D"all"><br>-- <br>-- <br>James P. Kin=
ney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, yo=
u will have to build a jail. What you=20
gain at one end you lose at the other. It's like feeding a dog =
on his=20
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href=3D"http:/=
/electjimkinney.org" target=3D"_blank">http://electjimkinney.org</a><br><a =
href=3D"http://heretothereideas.blogspot.com/" target=3D"_blank">http://her=
etothereideas.blogspot.com/</a><br>
</i></i></i></i>
</div>
<br>_______________________________________________<br>Ale mailing list<br>=
<a href=3D"mailto:Ale at ale.org" target=3D"_blank">Ale at ale.org</a><br><a href=
=3D"http://mail.ale.org/mailman/listinfo/ale" target=3D"_blank">http://mail=
.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br><a href=3D"http://mail.ale.org/m=
ailman/listinfo" target=3D"_blank">http://mail.ale.org/mailman/listinfo</a>=
<br></div></div></div><br></div></div></div></div><br>_____________________=
__________________________<br>
Ale mailing list<br>
<a href=3D"mailto:Ale at ale.org">Ale at ale.org</a><br>
<a href=3D"http://mail.ale.org/mailman/listinfo/ale" target=3D"_blank">http=
://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href=3D"http://mail.ale.org/mailman/listinfo" target=3D"_blank">http://m=
ail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear=3D"all"><br>-- <br>-- <br>James P. Kin=
ney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, yo=
u will have to build a jail. What you=20
gain at one end you lose at the other. It's like feeding a dog =
on his=20
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href=3D"http:/=
/electjimkinney.org" target=3D"_blank">http://electjimkinney.org</a><br><a =
href=3D"http://heretothereideas.blogspot.com/" target=3D"_blank">http://her=
etothereideas.blogspot.com/</a><br>
</i></i></i></i>
</div>
--001a11c3ecbc47dfe804e2bfb0f8--
More information about the Ale
mailing list