[SunHELP] Difference between NP and *LK* in shadow file


Tue Apr 29 13:25:34 CDT 2003 

FYI on a related topic ...

Just recently ssh stopped trusting dsa keys between two of our systems. It
turned out a Solaris 8 patch had been applied recently which changed the
default behavior of the PAM libraries. We had accounts with "*LK*" because we
required users to use sudo to become these users, there was no password.

Turns out as of late, Sun made a change so that *LK* no longer behaved the
same as NP. Now *LK* means that the account is "truly" locked. Changing this
field to NP fixed our problem.

--Buddy

-----Original Message-----
From: Pedro Roman Vela [mailto:Pedro.Roman at ydilo.com]
Sent: Monday, April 28, 2003 1:02 PM
To: 'Simoncini, Matthew'
Cc: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Difference between NP and *LK* in shadow file


As far as I know, it's just a matter of taste. Both are strings the hashing
algorithm that converts the password you write into a unique string will
never produce, so the accounts are effectively "locked" from common login
access.

I think the locking you are talking about has more to do with disabling any
possibility of logging into that account, by setting the shell to /dev/null,
for example.

-----Original Message-----
From: Simoncini, Matthew [mailto:Matthew.Simoncini at bsci.com]
Sent: lunes, 28 de abril de 2003 20:20
To: 'Dale Ghent'; Simoncini, Matthew
Cc: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Difference between NP and *LK* in shadow file


Thank you for all of the responses, but I should have stated in my first
post that I know that *LK* means locked and NP means No Password. I should
have clarified that the information that I'm interested in has more to do
with security and usability. We have certain applications that require a
Solaris userid to run, but no one will ever actually log in as this
particular user. Is it more accepted to input a NP in the password field of
/etc/shadow or to lock the account by using the 'passwd -l' option?

I'm not sure, but many of you might be running the Sun NetConnect for
monitoring your systems. Prior to the install, you must create a userid for
NetConnect so that any processes not needing root privilege will run as the
newly created user. The install directions say not to lock the account, but
essentially disable the login ability by using NP in the password field.

These directions from Sun prompted my boss to ask me the difference in *LK*
and NP.

Thanks again for all the responses so far.

Matthew Simoncini
Unix Administrator
Boston Scientific / Accenture

> -----Original Message-----
> From: Dale Ghent [mailto:daleg at elemental.org]
> Sent: Monday, April 28, 2003 2:10 PM
> To: Simoncini, Matthew
> Cc: 'sunhelp at sunhelp.org'
> Subject: Re: [SunHELP] Difference between NP and *LK* in shadow file
>
>
> On Monday, Apr 28, 2003, at 11:56 US/Eastern, Simoncini,
> Matthew wrote:
>
> > Hello gurus,
> >
> > I may be showing my ignorance on this question, but what's the
> > difference
> > between NP and *LK* in the shadow file? I'm just shooting this
> > question off
> > quickly because someone asked me and I don't have the time
> to research
> > it,
> > but knew someone here would have the answer.
>
> *LK* means that the account is "locked" or disabled.
>
> This is the default state for a newly created account until a new
> password is set, or when an account is locked via the usermod utility.
>
> /ek
> http://elektronkind.org/
_______________________________________________
SunHELP maillist  -  SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp

-----------------------------------------------------------------------------
---------
This message and any files transmitted with it are confidential and intended
solely
for the use of the individual or entity to whom they are addressed. No
confidentiality
or privilege is waived or lost by any wrong transmission.
If you have received this message in error, please immediately destroy it and
kindly
notify the sender by reply email.
You must not, directly or indirectly, use, disclose, distribute, print, or
copy any
part of this message if you are not the intended recipient. Opinions,
conclusions and
other information in this message that do not relate to the official business
of
Ydilo Advanced Voice Solutions, S.A. shall be understood as neither given nor
endorsed by it.
-----------------------------------------------------------------------------
---------
_______________________________________________
SunHELP maillist  -  SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp

More information about the SunHELP mailing list