On Tue, 08 Mar 2022 at 17:49:04 +0100, Marc Haber wrote: > (3) > #625758 > --disabled-password just does not set a password for the newly created > account (resulting in '*' in shadow) while --disabled-login places a '!' > in shadow. On modern systems with PAM, both variants seem to be > identical, allowing login via ssh.
I assume you mean: allowing login via ssh if other steps have been taken to allow it, like creating and populating ~/.ssh/authorized_keys? This ties in with the suggestion that system accounts should be "locked" (usermod -L -e 1) when the package that owns them is removed. usermod -L edits the crypted password in /etc/shadow to prevent login, by prepending '!', which is not a possible crypt(3) output: so it seems the distinction between these options is something like: --disabled-password: the new account doesn't have a valid password, so password authentication will always fail --disabled-login: the new account has an empty password but is "locked"; so password authentication will fail, but "unlocking" the account will result in login being accepted with a blank password (subject to other policies like ssh PermitEmptyPasswords and PAM nullok) smcv