[email]millscc.umanitoba.ca[/email] (Gary Mills) writes:
>In <3F1AFCB7.D672C0F1NOSPAM_hotmail.com> Marc <syn_uwNOSPAM_hotmail.com> writes:>>You've surely seen in your /etc/shadow password that some accounts have
>>NP in it's password field and other have *LK* when for example I locked
>>an account using passwd -l on an account. So really what's the
>>difference now between NP and *LK* ? Because anyway if I have an account
>>with NP I neither can login... Also what command would get you NP in
>>/etc/shadow for a user account ?Account of which the encrypted password strings *starts* with *LK* are>This is somewhat speculative. I notice that
>/usr/lib/security/pam_unix_account.so contains the strings `*LK*' and
>`*NP*', but not `NP'. Apparently, `*LK*' means locked, and `*NP*'
>means no password, and the PAM modules will treat these values
>appropriately. For example, cron commands will not run if the account
>is locked. I don't know about `*NP*', but perhaps it forces a
>password change at the next login. `NP' probably behaves just like `*',
>which is simply an unmatchable encrypted password.
These locked accounts cannot:
- run cron/at jobs
- run "rsh/ssh" w/o password
I.e., programs properly calling pam_acct_mgmt() to verify that the
account is valid and enabled will not allow such accounts to be used.
(note that older releases of Solaris made no such distinction; this
was a bug which was finally fixed in Solaris 8 + somepatch)
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.