[NTLUG:Discuss] Re: Create User Account
Patrick R. Michaud
pmichaud at pobox.com
Thu Jan 19 12:39:38 CST 2006
On Wed, Jan 18, 2006 at 06:42:14PM -0600, Dennis Rice wrote:
> I agree that you noting about the man page, but it does not return the
> encrypted password, at least it does not when you use the command
> "useradd username -p 'password' ". It should, but... I have used the
> command and saw that it is putting the unencrypted password into the
> shadow file, at least in Fedora Core 3.
I'm probably repeating something already said, but just for clarification...
The -p argument to useradd(8) is supposed to be an *already encrypted*
password string, not a cleartext password. Because the argument
to -p is an already encrypted string, useradd simply puts it into
the shadow file verbatim. (Of course, this doesn't properly set
the password, because the password fields in /etc/shadow have to
be encrypted in order to work properly.)
It could be argued that useradd should perform the encryption,
but this leads to the security risks already outlined, such as
cleartext passwords appearing in logs and history files. What
useradd is doing is providing an easy way for Perl/Python/PHP
scripts to create accounts, since Perl/Python/PHP can easily generate
encrypted strings to pass to useradd. Calling useradd(8) to do
account creation is much more robust and secure than modifying
the /etc/passwd, /etc/shadow, etc. files directly.
Pm
More information about the Discuss
mailing list