Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'adding a * in front of the encrypted pw should be enough' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
adding a * in front of the encrypted pw should be enough
Authored by: betabug on Mar 11, '02 04:05:32AM
I didn't want the original password to go away.

Actually accroding to Unix wisdom, just inserting a "*" in front of the encrypted password
should be enough. The "*" is outside of the range of characters that the crypt() library uses
to encrypt passwords. That way the users password cannot be checked, result: No login possible.

When you want to re-enable login with the same password, you just remove the "*" in front of
the password. I haven't tryed it on Mac OS X, but this would be the Unix way of doing it. Also as
an additional measure of security set the shell to "/sbin/nologin".

[ Reply to This | # ]
adding a * in front of the encrypted pw should be enough
Authored by: babbage on Mar 11, '02 11:43:08AM
Ok, so just to clarify what you're saying here, if a user's hashed password is, say, Q2w3E4r5T6y, then you can disable that account by simply changing it to *Q2w3E4r5T6y, and it can be restored by changing it back to Q2w3E4r5T6y? I didn't realize that hashed passwords could be tampered with at all without damaging them, so I've always made a point of leaving /etc/passwd alone for the most part (read-only usage only, no editing except by shell tools like "passwd").

So would something like this be considered the canonical way to disable logins on OSX? I know that some things are different here than on other Unixes, and I'm trying to get in the habit of doing things the OSX way...

[ Reply to This | # ]

adding a * in front of the encrypted pw should be enough
Authored by: a1291762 on Mar 11, '02 04:41:42PM

If you modify the encrypted password, chances are it'll be very hard (if not impossible) to guess what the unencrypted version will be. So by adding a char to the beginning (especially a char that isn't valid in an encrypted password) you're changing the unencrypted password to something that the user won't be able to guess.

When you remove that character, the password will be the same as it originally was. There's no "timestamp" or other such information in the password, it's just an encrypted phrase.



[ Reply to This | # ]
re: adding a * in front of the encrypted pw should be enough
Authored by: Xeo on Mar 11, '02 09:15:00PM

True, adding a * would do this as well, but I think the method I use is much more elegant. To me, it's a lot easier to insert a value then destroy that value instead of actually tampering with the password itself.

I actually toyed with the idea of prepending a * but the method to take that * away is more risky than inserting a separate value that can be destroyed.



[ Reply to This | # ]