This is current/amd64.
I created a user account, disabling password logins,
and put the guy's public ssh key into his ~/.ssh/authorized_keys
The user can log in and everything works, but:
Running security(8):
Checking the /etc/master.passwd file:
Login maxa is off but still has a valid shell and alternate access files in
home directory are still readable.
According to master.passwd(5)
login accounts not allowing password authentication but allowing
other authentication methods, for example public key authentication,
conventionally have 13 asterisks in the password field.
but adduser did not put 13 asterisks in the password field (just '*')
and security(8)'s check_passwd() seems to have no notion of
'13 asterisks in the password field' - the login is just considered 'off'
if $pwd !~ /^\$[0-9a-f]+\$/
Is the info in master.passwd(5) still valid?
Should adduser put '*************' as the passwd for such accounts?
(I do see accounts with 13 asterisks for passwd, e.g. _postgresql.)
Jan
