Do not use blank lines in /etc/passwd

[Eric Black]

In article <8352 at sun.uucp> guy at sun.uucp (Guy Harris) writes:
>[somebody wrote, I could go back and find who, but I'm lazy]:
>> Umm, could be sort of a security hole in itself:  if anyone can make a
>> a match to the "*" you have let them enter the system as root (uid==0).
>
>No, it can't, because they can't.

Lots of similar mail messages and articles to come, no doubt.

I always thought it was obvious, but enough people have expressed "ah-ha!"-
type wonder at this that maybe it bears repeating, and now's a good time.
There is always an amount of turnover at universities and companies, and
user accounts need to be zapped and/or de-activated.  Many times, however,
the *files* owned by those folks, in those directories, want to remain;
there are also occasions where it is desirable to temporarily prevent
a user or account from logging in.  A superuser (or adequately privileged user)
can zap the user's password, either with the passwd command or by
editing the /etc/passwd file, but since there is "no" way to determine
a user's password from the encrypted form in /etc/passwd, it's hard to
set it back.

A convenient method is to edit the passwd file and insert some character
at the beginning of the password string.  I like to use '%', because it is
one of the characters that is never generated in an encryption string and
is easy to find and edit out later.  A password can NEVER be entered which
matches the user's (new) password, preventing logins (and su's other than
by root), yet it is easy to give that person his/her password back.

A trivial point, to be sure, but I thought it was obvious and it apparently
isn't.

-- 
Eric Black   "Garbage In, Gospel Out"
UUCP:        {sun,pyramid,hplabs,amdcad}!cti!eric