Quoth Dr. Mark A. Friedman at 2009-10-16 13:25... > Upon installation, Debian includes users libuuid and Debian-exim in > /etc/shadow with an empty password field: > > libuuid::14292:0:99999:7::: > Debian-exim::14377:0:99999:7:::
Interesting question. Can't answer it, but will recount a similar situation I've visited recently. Only last week I was looking at possible security loopholes in a web application I am writing. Found a similar scenario: Users were being created with a blank password, but not enabled. Only when the account was enabled, would they be able to log in. I surmised that if there were some unknown loophole that would allow the "user active y/n" check to be bypassed, entering the user name (if it were known) with a null password would allow a login to take place. To prevent this from happening, I am generating a random password (which is stored as a cryptographic hash) which is actually longer than the application will accept. Whilst I can't see any way that the user active check could be bypassed, this gives an extra level of security, just in case. Cheers M -- Matthew Smith Smiffytech - Technology Consulting & Web Application Development Business: http://www.smiffytech.com/ Blog/personal: http://www.smiffysplace.com/ LinkedIn: http://www.linkedin.com/in/smiffy Skype: msmiffy Twitter: @smiffy -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
