From: Theo Buehler <tb@theobuehler.org>
Subject: Re: anonymous gotsh user's password entry and security(8)
To: Omar Polo <op@omarpolo.com>
Cc: Alexander Arkhipov <aa@manpager.net>, gameoftrees@openbsd.org
Date: Wed, 14 Jun 2023 19:03:15 +0200

> > I thought setting the password field to '*************' (13 stars) was
> > one way of silencing this warning. One of useradd or adduser does this
> > and the security script has a "length $pwd != 13" exemption for that
> > reason.
> 
> yay, it works!  Thank you! \o/
> 
> 13 '*' characters are needed in /etc/master.passwd, not (only?)
> /etc/passwd.  For now, I have 13 '*' in both :-)

It's needed in /etc/master.passwd, since that's what's being parsed in
security(8)'s sub check_passwd.

I think it is historical behavior of user(8) that was removed with
in user.c r1.112 (DES_Len was 13):

-       if (up->u_password != NULL && valid_password_length(up->u_password)) {
-               (void) strlcpy(password, up->u_password, sizeof(password));
-       } else {
-               (void) memset(password, '*', DES_Len);
-               password[DES_Len] = 0;