From passwd(5) :
Similarly, login accounts not allowing password authentication but allowing
other authentication methods,
for example public key authentication, conventionally have 13 asterisks in
the password field.
I believe security(8) will stop barking about these accounts if you set the
encrypted password to 13
asterisks, instead of just one.
Sorry for top post. Gmail gets squirrelly sometimes when I try to properly
respond in body.
On Sun, Jul 1, 2018 at 12:22 PM, Daniel Ouellet <daniel@presscom.net> wrote:
> I find this annoying and sometime I over look this because I always get
> the example:
>
> ==============
> Running security(8):
>
> Checking the /etc/master.passwd file:
> Login share is off but still has a valid shell and alternate access files
> in
> home directory are still readable.
> Login xxx is off but still has a valid shell and alternate access files in
> home directory are still readable.
> =========
>
> Is there a better or different way to do this?
>
> I always disable the login password on users with * oppose to password
> in the master.passwd file after keys are installed as I DO NOT want to
> allow login password when ssh keys are use, but still get the above
> warning daily on multiples servers & users.
>
> The Running security(8): is nice as you see possible changes done by sys
> admin and you get the feedback, but getting daily warning for the same
> things sometime will get overlook because of noise.
>
> Is there a better way to disable login and not get these warning for ssh
> key users and keep the valid idea and use of the cronjob as is?
>
> Daniel
>
>
No comments:
Post a Comment