"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Alexander Arkhipov <aa@manpager.net>
Subject:
Re: anonymous gotsh user's password entry and security(8)
To:
gameoftrees@openbsd.org
Date:
Thu, 15 Jun 2023 18:05:42 +0300

Download raw body.

Thread
Theo Buehler writes:
> On Wed, Jun 14, 2023 at 05:06:00PM +0000, Lucas wrote:
> > Theo Buehler <tb@theobuehler.org> wrote:
> > > On Wed, Jun 14, 2023 at 06:24:00PM +0200, Stefan Sperling wrote:
> > > > On Wed, Jun 14, 2023 at 05:39:28PM +0300, Alexander Arkhipov wrote:
> > > > > Sorry if that's been asked before: I've read the gotd(8), gotsh(1) and
> > > > > got.conf(5) man pages, and searched through the list, but can't find the
> > > > > information.
> > > > > 
> > > > > I have anonymous gotd set up on an OpenBSD box. The password entry looks
> > > > > like this:
> > > > > 
> > > > > anon::1006:1006::0:0:Anon:/var/empty:/usr/local/bin/gotsh
> > > > > 
> > > > > However, I get daily messages to my mail like so:
> > > > > 
> > > > > > Running security(8):
> > > > > > 
> > > > > > Checking the /etc/master.passwd file:
> > > > > > Login anon has no password.
> > > > > 
> > > > > I have also read security(8), and the script /usr/libexec/security
> > > > > itself. It seems that an exception is only ever made for the user
> > > > > anoncvs running anoncvssh.
> > > > > 
> > > > > 		nag $pwd eq '' && !($name eq 'anoncvs' &&
> > > > > 				    $shell =~ /\/anoncvssh$/),
> > > > > 		    "Login $name has no password.";
> > > > > 
> > > > > So, is there something special I need to do to get rid of these
> > > > > messages? Do I just make an ad-hoc modification of the script and wait
> > > > > for better times?
> > > > 
> > > > For now, either ignore the message or tweak the script. I don't know if
> > > > a patch to security(8) to remove this message for gotsh(1) in a similar
> > > > way would be accepted. Probably not at this stage.
> > > 
> > > I thought setting the password field to '*************' (13 stars) was
> > > one way of silencing this warning. One of useradd or adduser does this
> > > and the security script has a "length $pwd != 13" exemption for that
> > > reason.
> > 
> > That's partially correct. However, that only works as long as there is
> > an alternative login method (an SSH key, for example), but for anongot,
> > you need a passwordless user.
>
> Right, the 13 stars don't work in that situation. However, using an
> empty password does seem to work although I haven't tested it with gotsh:
>
> $ encrypt ''

I recently switched my mail client, and accidentally sent my last
message only to tb@, sorry. Here's the original message:

> Oh, right, somehow the thought of running encrypt with an empty string
> never occured to me. Thanks, works like a charm!
> 
> Alexander

And here's a diff adding the information to the gotsh(1) man page:

diff /home/aa/ar/got
commit - 1f8d584437c06db990ac352cce06402c80b1f6a4
path + /home/aa/ar/got
blob - 6388edcc1cf538c87de0145789b59d6972dec668
file + gotsh/gotsh.1
--- gotsh/gotsh.1
+++ gotsh/gotsh.1
@@ -130,6 +130,24 @@ Use of an empty password must be explicitly allowed in
 anonymous::1002:1002::0:0:Anonymous:/home/anonymous:/usr/local/bin/gotsh
 .Ed
 .Pp
+On
+.Ox
+the command
+.Xr encrypt 1
+can be used with an empty string:
+.Bd -literal
+$ encrypt ''
+.Ed
+.Pp
+and the password entry can instead look like this example:
+.Bd -literal
+anonymous:<encrypted password>:1002:1002::0:0:Anonymous:/home/anonymous:/usr/local/bin/gotsh
+.Ed
+.Pp
+This method has the advantage that
+.Xr security 8
+will not consider the user's password to be empty.
+.Pp
 Use of an empty password must be explicitly allowed in
 .Xr sshd_config 5 :
 .Bd -literal -offset indent