Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Hide all low UID users from the login window' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Hide all low UID users from the login window
Authored by: cshuman on May 22, '06 10:37:49AM

Can you explain further what this actually does? It concerns me to add something called passwd with a value of "*" w/o knowing what it does/why the sysem ignores it in the login window.

Thanks,

Chris

---
Is there anybody out there? Just nod if you can hear me. Is there anyone home?



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: adrianm on May 22, '06 11:01:54AM
It's an olde worlde way of preventing a user from logging in. Bit of a hack IMO, but quite normal.

Another common method is to set the default login shell to /usr/bin/false

I think this is mostly from the days when users were defined in the /etc/passwd file.

The login window seems to respect this behaviour.

You can see OSX's /etc/passwd equivalent by typing this in a Terminal window.


nidump passwd /
The second column is the password field. These are all asterisks in this output, but the ones that do not allow login will have a single *.

[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: rohanl on May 22, '06 09:58:25PM

The convention of having a '*' in the password entry to block logins, started back in the days when the actual encrypted passwd was stored in /etc/passwd.

The encrypted passwd was a string like "hvlAlAxmCi1vc" obtained by using the DES crypt function. An encrypted passwd of "*" was invalid, as no matter what you entered as a passwd it wouldn't encrypt to that.

Nowadays the encrypted passwd is not stored in /etc/passwd to prevent someone from taking the file and working on cracking the passwords in bulk. It's stored elsewhere in a "shadow" file or some other place that is not publicly readable.

But the practice of "*" meaning login disallowed has lived on.



[ Reply to This | # ]