Difference between NP and *LK* in /etc/shadow
Marc Bigler
What's the difference between "NP" and "*LK*" in the password field of
the file /etc/shadow ? For me both accounts are locked with these
entries with the difference that with "*LK*" crontab won't work anymore
but if I use "NP" crontab will still work for that user....
Regards
Tony Walton
>
> Hello,
>
> What's the difference between "NP" and "*LK*" in the password field of
> the file /etc/shadow ?
Nothing at all. *Anything* that can't be a valid encrypted password -
that is, anything that isn't a 13 character string consisting of the
characters [0-9A-Za-z]./ will "lock" the account as there is no password
that can be entered to allow access.
> For me both accounts are locked with these
> entries with the difference that with "*LK*" crontab won't work anymore
> but if I use "NP" crontab will still work for that user....
Please show how you reproduce this - I've just tried both *LK* and NP
and can still use crontab -e in both cases if I su to the locked out
user.
--
Tony
Martin Paul
> Marc Bigler wrote:
>> For me both accounts are locked with these
>> entries with the difference that with "*LK*" crontab won't work anymore
>> but if I use "NP" crontab will still work for that user....
>
> Please show how you reproduce this - I've just tried both *LK* and NP
> and can still use crontab -e in both cases if I su to the locked out
> user.
Maybe he means that cron jobs aren't executed anymore ? Haven't tried
it, but that would conform with what the man pages tell (Solaris 9):
man cron:
cron and at jobs will be not be executed if the user's
account is locked. Only accounts which are not locked as
defined in shadow(4) will have their job or process exe-
cuted.
man shadow:
The lock string is defined as *LK* in the first
four characters of the password field.
mp.
--
Martin Paul | Systems Administrator
Institute for Software Science | mar...@par.univie.ac.at
University of Vienna, Austria | http://www.par.univie.ac.at/
Chris Thompson
>> For me both accounts are locked with these
>> entries with the difference that with "*LK*" crontab won't work anymore
>> but if I use "NP" crontab will still work for that user....
>
>Please show how you reproduce this - I've just tried both *LK* and NP
>and can still use crontab -e in both cases if I su to the locked out
>user.
I suspect it's not a question of being able to set up a crontab, but
whether cron will want to execute it as the locked user it when the time
comes. I'm a bit surprised that *LK* versus NP would make a difference,
though. Solaris release? cron patch level? pam patch level?
Chris Thompson
Email: cet1 [at] cam.ac.uk
Philip Brown
>...
>I suspect it's not a question of being able to set up a crontab, but
>whether cron will want to execute it as the locked user it when the time
>comes. I'm a bit surprised that *LK* versus NP would make a difference,
>though. Solaris release? cron patch level? pam patch level?
I've noticed that certain things work by default, but if you then run
"JASS" for example, they stop working.
I had a user that root could do
su user -c "whatever"
that worked fine with the user shell set to /bin/false. But after
running JASS, that stopped working.
--
http://www.blastwave.org/ for solaris pre-packaged binaries
[Trim the no-bots from my address to reply to me by email!]
[ Do NOT email-CC me on posts. Pick one or the other.]
S.1618 http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:@@@D
http://www.spamlaws.com/state/ca1.html
Martin Paul
> comes. I'm a bit surprised that *LK* versus NP would make a difference,
> though. Solaris release? cron patch level? pam patch level?
Testing shows that the behaviour changed from Solaris 8 2/02 to
Solaris 9 FCS. cron indeed looks for *LK* in the passwd field
now, and it seems like it's cron itself that changed (not pam).
It's exactly such "minor" changes which I really would like to
find in the Solaris release notes ..
ldd /usr/sbin/cron output has changed between 8 and 9 too,
it were 11 libs before, and it's 24 now. New are e.g.
libxml2.so.2 and libmd5.so.1. Does anybody know why ?