"Alternate authentication scheme in use" by certain system accounts
Mertens, Bram
mertensb at mazdaeur.com
Thu Oct 23 11:38:01 UTC 2008
Hi
As part of our effort to become (J-)SOX compliant my manager had to
review a list of system user accounts on our systems.
One of his remarks was that he believed the games user account (amongst
others) should not exist on our systems. I explained him that this is a
default user account (it is in the initial passwd file of the setup
package) and that it was locked so it cannot be used to access the
system.
However when I check the account on several of our systems (RHEL3,4,5,
Fedora9 and even RH9) I do not get the result I expected from passwd -S:
# passwd -S games
Alternate authentication scheme in use.
Other accounts like mail also return this state whereas accounts like
rpc do return the "Password locked." as I expected:
# passwd -S rpc
Password locked.
The difference between these accounts is that for those accounts that
are locked the password field in /etc/shadow contains "!!" as described
in the man page of a.o. passwd. The accounts for which passwd reports
"Alternate authentication scheme in use" have an asterisk "*" in the
password field:
# grep "games:" /etc/passwd /etc/shadow
/etc/passwd:games:x:12:100:games:/usr/games:/sbin/nologin
/etc/shadow:games:*:14133:0:99999:7:::
Locking the accounts with "usermod -L" changes the password field of
/etc/shadow to "!*" upon which passwd -S reports that the account is
locked:
# usermod -L games
# echo $?
0
# passwd -S games
Password locked.
# grep "games:" /etc/passwd /etc/shadow
/etc/passwd:games:x:12:100:games:/usr/games:/sbin/nologin
/etc/shadow:games:!*:14061:0:99999:7:::
The appears to apply to all user accounts of the setup package.
What does the asterisk (*) in the password field mean? Can these
accounts also be considered locked? Or does it make sense (as the NSA's
"Guide to the Secure Configuration of Red Hat enterprise Linux 5"
suggests) to lock all these accounts?
And if it makes sense to lock these accounts wouldn't it be better to
update the setup package so this is the default?
Kind regards
Bram
Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
VAT BE 0406.024.281, RPR Mechelen, ING 310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB
More information about the redhat-list
mailing list