Upon installation, Debian includes users libuuid and Debian-exim in /etc/shadow with an empty password field:
libuuid::14292:0:99999:7::: Debian-exim::14377:0:99999:7::: Although Debian-exim specifies /bin/false as a shell in /etc/passwd to eliminate login, libuuid does not: libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:103:105::/var/spool/exim4:/bin/false Besides which, the use of /bin/false does not eliminate use of an account in ways through ssh. e.g. http://www.semicomplete.com/articles/ssh-security/ 1) What stops one from logging into a Debian machine through libuuid or Debian-exim by specifying a blank password? Or, using ssh though one of these users and a blank password? 2) For a greater degree of comfort or security, could I change the password field to an '*' for these users without causing a problem? And, where would I see that problem if it did occur (e.g. exim is not installed on my system.)? libuuid:*:14292:0:99999:7::: Debian-exim:*:14377:0:99999:7::: Thanks in advance. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
