Professional Web Applications Themes

difference between NP and *LK* in /etc/shadow as password - Sun Solaris

Marc <syn_uwNOSPAM_hotmail.com> writes: > You've surely seen in your /etc/shadow password that some accounts have > NP in it's password field and other have *LK* when for example I locked > an account using passwd -l on an account. So really what's the > difference now between NP and *LK* ? Because anyway if I have an account > with NP I neither can login... Also what command would get you NP in > /etc/shadow for a user account ? *LK* locks the account so that it's impossible to login with that username. This is standard when an account is ...

  1. #1

    Default Re: difference between NP and *LK* in /etc/shadow as password

    Marc <syn_uwNOSPAM_hotmail.com> writes:
    > You've surely seen in your /etc/shadow password that some accounts have
    > NP in it's password field and other have *LK* when for example I locked
    > an account using passwd -l on an account. So really what's the
    > difference now between NP and *LK* ? Because anyway if I have an account
    > with NP I neither can login... Also what command would get you NP in
    > /etc/shadow for a user account ?
    *LK* locks the account so that it's impossible to login with that
    username. This is standard when an account is created. NP disables
    password login to the account, while it's still possible to (for
    instance) login via ssh if the appropriate authorization file exists.

    --
    Jenny With the Axe, and the Temper [url]http://www.algonet.se/~jenny-h/[/url]
    #include <std_disclaimer.h>
    "The only truly safe "embedded system" is the system that has an axe
    embedded in it... " -Tanuki
    Jenny Dybedahl Guest

  2. #2

    Default Re: difference between NP and *LK* in /etc/shadow as password

    [email]millscc.umanitoba.ca[/email] (Gary Mills) writes:
    >In <3F1AFCB7.D672C0F1NOSPAM_hotmail.com> Marc <syn_uwNOSPAM_hotmail.com> writes:
    >>You've surely seen in your /etc/shadow password that some accounts have
    >>NP in it's password field and other have *LK* when for example I locked
    >>an account using passwd -l on an account. So really what's the
    >>difference now between NP and *LK* ? Because anyway if I have an account
    >>with NP I neither can login... Also what command would get you NP in
    >>/etc/shadow for a user account ?
    >This is somewhat speculative. I notice that
    >/usr/lib/security/pam_unix_account.so contains the strings `*LK*' and
    >`*NP*', but not `NP'. Apparently, `*LK*' means locked, and `*NP*'
    >means no password, and the PAM modules will treat these values
    >appropriately. For example, cron commands will not run if the account
    >is locked. I don't know about `*NP*', but perhaps it forces a
    >password change at the next login. `NP' probably behaves just like `*',
    >which is simply an unmatchable encrypted password.
    Account of which the encrypted password strings *starts* with *LK* are
    locked.

    These locked accounts cannot:

    - run cron/at jobs
    - run "rsh/ssh" w/o password

    I.e., programs properly calling pam_acct_mgmt() to verify that the
    account is valid and enabled will not allow such accounts to be used.

    (note that older releases of Solaris made no such distinction; this
    was a bug which was finally fixed in Solaris 8 + somepatch)

    Casper
    --
    Expressed in this posting are my opinions. They are in no way related
    to opinions held by my employer, Sun Microsystems.
    Statements on Sun products included here are not gospel and may
    be fiction rather than truth.
    Casper H.S. Dik Guest

  3. #3

    Default Re: difference between NP and *LK* in /etc/shadow as password

    Syn <syn_NOSPAM_uwhotmail.com> writes:
    >Well that's exactly the point where I want to come to. I have a user
    >account actually called mysql, this account shouldn't be allowed to
    >login, so for that I have locked the account using passwd -l mysql, I've
    >also changed the shell to /bin/false. But now under this user account I
    >still have to run cronjobs and when the account is locked the cronjobs
    >simply do not run, so what I did is enter "NP" instead of "*LK*" into
    >the password field in /etc/shadow. But now I want to make sure this NP
    >is not a security concern somehow letting mysql user login by don't know
    >what kind of backdoor.
    Locked (*LK*): can't run anything.
    Not locked but invalid encrypted password: if a .rhosts file or
    suitable .ssh/authorized_keys entry exists, logins are allowed. But
    you control those files; with /bin/false as shell even that risk does not
    exist.

    Casper
    --
    Expressed in this posting are my opinions. They are in no way related
    to opinions held by my employer, Sun Microsystems.
    Statements on Sun products included here are not gospel and may
    be fiction rather than truth.
    Casper H.S. Dik Guest

  4. #4

    Default Re: difference between NP and *LK* in /etc/shadow as password

    > Not locked but invalid encrypted password: if a .rhosts file or
    > suitable .ssh/authorized_keys entry exists, logins are allowed. But
    > you control those files; with /bin/false as shell even that risk does not
    > exist.
    Ok everything clear now, so the NP could just be anything like BLABLA.

    Regards


    Syn Guest

  5. #5

    Default Re: difference between NP and *LK* in /etc/shadow as password

    Casper H.S. Dik <Casper.Diksun.com> wrote:
    > Syn <syn_NOSPAM_uwhotmail.com> writes:
    >>Well that's exactly the point where I want to come to. I have a user
    >>account actually called mysql, this account shouldn't be allowed to
    >>login, so for that I have locked the account using passwd -l mysql, I've
    >>also changed the shell to /bin/false. But now under this user account I
    >>still have to run cronjobs and when the account is locked the cronjobs
    >>simply do not run, so what I did is enter "NP" instead of "*LK*" into
    >>the password field in /etc/shadow. But now I want to make sure this NP
    >>is not a security concern somehow letting mysql user login by don't know
    >>what kind of backdoor.
    > Locked (*LK*): can't run anything.
    I noticed that Solaris 8 has started enforcing this rule only
    relatively recently. I noticed this after installing patch 108993-18 a
    few weeks ago. Before installing it, the cron jobs were working for
    locked accounts.

    --
    Akop Pogosian

    This space has been accidentally left blank.
    Akop Pogosian Guest

  6. #6

    Default Re: difference between NP and *LK* in /etc/shadow as password

    On Mon, 21 Jul 2003 01:46:23 +0000, Gary Mills wrote:
    >
    > is locked. I don't know about `*NP*', but perhaps it forces a
    > password change at the next login.
    *NP* is what nscd and/or NIS+ returns in the password field when
    the NIS+ table permissions do not allow the requesting principle
    to read the encrypted password entry.

    pam_unix_* needs to know about this so that it can generate
    a suitable error message and appropriate PAM return code.

    IIRC it can also be seen when using NIS with passwd.adjunct.

    --
    Darren J Moffat - Sun Microsystems Solaris Security
    Darren J Moffat Guest

Similar Threads

  1. Replies: 1
    Last Post: September 10th, 07:15 AM
  2. Problem: Drop shadow creates a "flat shadow"
    By zig_zag@adobeforums.com in forum Adobe Illustrator Windows
    Replies: 3
    Last Post: April 13th, 01:31 AM
  3. Replies: 1
    Last Post: September 18th, 12:09 AM
  4. How to secure database password? (was Perl/DBI newbie: password stora...
    By Motherofperls@aol.com in forum PERL Beginners
    Replies: 0
    Last Post: September 17th, 01:41 PM
  5. Administrator Password & Account Password
    By Rebecca in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 13th, 11:03 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139