From roelof@nisser.com  Mon Jan 15 16:09:26 2001
Return-Path: <roelof@nisser.com>
Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39])
	by hub.freebsd.org (Postfix) with ESMTP id 31D1A37B6A0
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 15 Jan 2001 16:09:25 -0800 (PST)
Received: (from roelof@localhost)
	by nisser.com (8.9.3/8.9.2) id BAA58909;
	Tue, 16 Jan 2001 01:09:24 +0100 (CET)
	(envelope-from roelof)
Message-Id: <200101160009.BAA58909@nisser.com>
Date: Tue, 16 Jan 2001 01:09:24 +0100 (CET)
From: roelof@nisser.com
Reply-To: roelof@eboa.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: shadow passwd's
X-Send-Pr-Version: 3.2

>Number:         24363
>Category:       docs
>Synopsis:       lack of explanation
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 15 16:10:01 PST 2001
>Closed-Date:    Fri Jun 15 15:23:36 PDT 2001
>Last-Modified:  Fri Jun 15 15:24:00 PDT 2001
>Originator:     Roelof Osinga
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
eBOA/Nisser
>Environment:

FreeBSD 4.2-RELEASE

>Description:

I don't get it!

>How-To-Repeat:

By Reading The F. Manual(s):

http://www.freebsd.org/handbook/securing-freebsd.html :

  An indirect way to secure the root account is to secure your staff
  accounts by using an alternative login access method and *'ing out
  the crypted password for the staff accounts. This way an intruder
  may be able to steal the

What's "*'ing"? Check 'man 5 passwd':

  The password field is the encrypted form of the password.  If the
  password field is empty, no password will be required to gain access to
  the machine.  This is almost invariably a mistake.  Because these files
  contain the encrypted user passwords, they should not be readable by any-
  one without appropriate privileges.  Administrative accounts have a pass-
  word field containing an asterisk `*' which disallows normal logins.

If you don't know what it's about, this won't teach you much. So you
want to secure. Fine. But how? Change any ol' pwd into a '*'? Mebbe?
Mebbe not. Who is to say?

I think it would be a good idea to explicitly state what is needed. With
a link or other kind of reference to the man.part in question.

>Fix:
	
Some sort of partial rewrite. Maybe something that would show up in, say,
'apropos shadow' or so.

Currently it says enough if you know what it's about. But if you don't,
well, ...

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: murray 
State-Changed-When: Fri Jun 15 15:23:36 PDT 2001 
State-Changed-Why:  
The text has been clarified, thanks! 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=24363 
>Unformatted:
