> I don't know why RH does this. But having a valid shell in /etc/passwd > is not sufficent for an attacker. The account also must have a valid > password in /etc/shadow (or wherever your OS keeps them). Usually the > role-accounts look somewhat like this: <snip> > The "*" or some other symbol like "!" means, that this is not a valid > password and so nobody can enter a correct password for this account. > Phil
In July 2001, there was an ssh issue that affected user accounts with !! in their password field. This issue wouldn't have been quite as big a risk for redhat systems, if they had set the shells for these accounts to be /bin/false or something similar. So, this isn't an issue in and of itself, but by changing the shells, we could help mitigate the effect of other potential security issues.
