[NTLUG:Discuss] Re: Create User Account
Chris Cox
cjcox at acm.org
Thu Jan 19 13:13:14 CST 2006
Patrick R. Michaud wrote:
> On Wed, Jan 18, 2006 at 06:42:14PM -0600, Dennis Rice wrote:
>>I agree that you noting about the man page, but it does not return the
>>encrypted password, at least it does not when you use the command
>>"useradd username -p 'password' ". It should, but... I have used the
>>command and saw that it is putting the unencrypted password into the
>>shadow file, at least in Fedora Core 3.
>
> I'm probably repeating something already said, but just for clarification...
>
> The -p argument to useradd(8) is supposed to be an *already encrypted*
> password string, not a cleartext password. Because the argument
> to -p is an already encrypted string, useradd simply puts it into
> the shadow file verbatim. (Of course, this doesn't properly set
> the password, because the password fields in /etc/shadow have to
> be encrypted in order to work properly.)
>
> It could be argued that useradd should perform the encryption,
> but this leads to the security risks already outlined, such as
> cleartext passwords appearing in logs and history files. What
> useradd is doing is providing an easy way for Perl/Python/PHP
> scripts to create accounts, since Perl/Python/PHP can easily generate
> encrypted strings to pass to useradd. Calling useradd(8) to do
> account creation is much more robust and secure than modifying
> the /etc/passwd, /etc/shadow, etc. files directly.
Of course, if you're using Red Hat (possibly others) you
can use newusers to create a ton of users from a file.
(again, assume encrypted passwords)
Just an fyi.. not really a reply to all of this.
More information about the Discuss
mailing list