Hi As part of our effort to become (J-)SOX compliant my manager had to review a list of system user accounts on our systems. One of his remarks was that he believed the games user account (amongst others) should not exist on our systems. I explained him that this is a default user account (it is in the initial passwd file of the setup package) and that it was locked so it cannot be used to access the system. However when I check the account on several of our systems (RHEL3,4,5, Fedora9 and even RH9) I do not get the result I expected from passwd -S: # passwd -S games Alternate authentication scheme in use. Other accounts like mail also return this state whereas accounts like rpc do return the "Password locked." as I expected: # passwd -S rpc Password locked. The difference between these accounts is that for those accounts that are locked the password field in /etc/shadow contains "!!" as described in the man page of a.o. passwd. The accounts for which passwd reports "Alternate authentication scheme in use" have an asterisk "*" in the password field: # grep "games:" /etc/passwd /etc/shadow /etc/passwd:games:x:12:100:games:/usr/games:/sbin/nologin /etc/shadow:games:*:14133:0:99999:7::: Locking the accounts with "usermod -L" changes the password field of /etc/shadow to "!*" upon which passwd -S reports that the account is locked: # usermod -L games # echo $? 0 # passwd -S games Password locked. # grep "games:" /etc/passwd /etc/shadow /etc/passwd:games:x:12:100:games:/usr/games:/sbin/nologin /etc/shadow:games:!*:14061:0:99999:7::: The appears to apply to all user accounts of the setup package. What does the asterisk (*) in the password field mean? Can these accounts also be considered locked? Or does it make sense (as the NSA's "Guide to the Secure Configuration of Red Hat enterprise Linux 5" suggests) to lock all these accounts? And if it makes sense to lock these accounts wouldn't it be better to update the setup package so this is the default? Kind regards Bram Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek VAT BE 0406.024.281, RPR Mechelen, ING 310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
