On Thu, Mar 10, 2022 at 09:35:27PM +0100, Marc Haber wrote: > On Wed, 09 Mar 2022 21:34:33 +0100, Pierre-Elliott Bécue > <p...@debian.org> wrote: > >Considering many have replied, I'll stick to that one: > >Marc Haber <mh+debian-de...@zugschlus.de> wrote on 08/03/2022 at > >17:49:04+0100: > >> (3) > >> #625758 > >> --disabled-password just does not set a password for the newly created > >> account (resulting in '*' in shadow) while --disabled-login places a '!' > >> in shadow. On modern systems with PAM, both variants seem to be > >> identical, allowing login via ssh. Aside from the documentation needing > >> change to document reality, should we introduce a --no-set-password > >> option and deprecate the two older options (to be removed in trixie+2)? > > > >How about --disabled-login => shell is set to /usr/sbin/nologin ? > > I have noted that as one of the options for my summary. I assume that > in that case, the password should still be * to avoid creating an > active unlocked account with empty password?
+1 to --disabled-login setting the shell to /usr/sbin/nologin with documentation being updated to reflect this. I'd suggest a default behavior of a password of '*', with the ability to override it and prompt for a real password with a "--set-password". Although honestly, I also wouldn't be opposed to requiring an extra step of calling 'usermod' to set a password for a disabled account. It's sort of a special case, and not one that has to be explicitly handled by adduser. noah
