Fix verify_password gatherer for scenarios where there is not hash #305
Conversation
| func (suite *PasswordTestSuite) TestPasswordGatherCryptError() { | ||
| shadow := []byte("hacluster:$aaaa$aaaa") | ||
| func (suite *PasswordTestSuite) TestPasswordGatherNotEncrypted() { | ||
| shadow := []byte("hacluster:!:19029::::::") |
There was a problem hiding this comment.
Hey @arbulu89, just wondering about this: why is the test name "...NotEncrypted"? seems to me it's more simply about the case where no password is set (rather than not encrypted).
Also, about the exclamation mark, I think an exclamation mark at the start of the field means simply "account disabled" while an exclamation mark in the content of the hash is an invalid hash (as it is an invalid character in this context)
There was a problem hiding this comment.
Yes, we could improve the naming of the test.
About what the ! means, based on this:
https://linuxize.com/post/etc-shadow-file/
If the password field contains an asterisk (*) or exclamation point (!), the user will not be able to login to the system using password authentication. Other login methods like key-based authentication or switching to the user are still allowed.
There was a problem hiding this comment.
I think I understand my doubts now, there is a "common practice" (even documented in man 5 shadow) that says that if you add a ! as the first character of a password it means "password disabled" but in reality, adding it anywhere will block the password anyways. So effectively, a password containing just ! or * means: "no password, and also no login allowed".
https://bugzilla.suse.com/show_bug.cgi?id=1217543