[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

"Alternate authentication scheme in use" by certain system accounts


As part of our effort to become (J-)SOX compliant my manager had to
review a list of system user accounts on our systems.

One of his remarks was that he believed the games user account (amongst
others) should not exist on our systems.  I explained him that this is a
default user account (it is in the initial passwd file of the setup
package) and that it was locked so it cannot be used to access the

However when I check the account on several of our systems (RHEL3,4,5,
Fedora9 and even RH9) I do not get the result I expected from passwd -S:

# passwd -S games
Alternate authentication scheme in use.

Other accounts like mail also return this state whereas accounts like
rpc do return the "Password locked." as I expected:
# passwd -S rpc
Password locked.

The difference between these accounts is that for those accounts that
are locked the password field in /etc/shadow contains "!!" as described
in the man page of a.o. passwd.  The accounts for which passwd reports
"Alternate authentication scheme in use" have an asterisk "*" in the
password field:
# grep "games:" /etc/passwd /etc/shadow

Locking the accounts with "usermod -L" changes the password field of
/etc/shadow to "!*" upon which passwd -S reports that the account is
# usermod -L games
# echo $?
# passwd -S games
Password locked.
# grep "games:" /etc/passwd /etc/shadow

The appears to apply to all user accounts of the setup package.

What does the asterisk (*) in the password field mean?  Can these
accounts also be considered locked?  Or does it make sense (as the NSA's
"Guide to the Secure Configuration of Red Hat enterprise Linux 5"
suggests) to lock all these accounts?

And if it makes sense to lock these accounts wouldn't it be better to
update the setup package so this is the default?

Kind regards


Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
VAT BE 0406.024.281, RPR Mechelen, ING  310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]