On Jan 8, 2002 at 14:40, Tim Legg wrote: >Is there any reason the password must be a "*"? It seams that this could >be a security risk. Couldn't anybody just login as mailman and know that >the password is "*" and do all kinds of mean things?
As JCL says, that's a flag, not a password. /etc/passwd stores passwords encrypted by the crypt() function. The encrypted string is always the same length, and the first two octets (bytes? characters?) are the 'salt' used to encrypt the password. Using the salt and the plain password with the crypt utility or the crypt() function, we can get the encrypted string. Compare with stored string; match means the plain text password is correct, mismatch means it is incorrect. Going the other way -- decrypting the encrypted string -- is very, very, difficult. Now a password string consisting of just *, !, !!, or x is not a valid encrypted password. The first two or three indicate the account does not allow logins i.e. is disabled (root can, of course, su to it anytime). x I've seen used to indicate the password is stored in /etc/shadow for greater security. passwd is world-readable, shadow is not. HTH. -- Satya. <URL:http://satya.virtualave.net/> Never attribute to malloc what can be easily explained by stupidity. ------------------------------------------------------ Mailman-Users maillist - [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users
