From: Lucas <lucas@sexy.is>
Subject: Re: anonymous gotsh user's password entry and security(8)
To: Alexander Arkhipov <aa@manpager.net>
Cc: gameoftrees@openbsd.org
Date: Wed, 14 Jun 2023 17:06:00 +0000

Theo Buehler <tb@theobuehler.org> wrote:
> On Wed, Jun 14, 2023 at 06:24:00PM +0200, Stefan Sperling wrote:
> > On Wed, Jun 14, 2023 at 05:39:28PM +0300, Alexander Arkhipov wrote:
> > > Sorry if that's been asked before: I've read the gotd(8), gotsh(1) and
> > > got.conf(5) man pages, and searched through the list, but can't find the
> > > information.
> > > 
> > > I have anonymous gotd set up on an OpenBSD box. The password entry looks
> > > like this:
> > > 
> > > anon::1006:1006::0:0:Anon:/var/empty:/usr/local/bin/gotsh
> > > 
> > > However, I get daily messages to my mail like so:
> > > 
> > > > Running security(8):
> > > > 
> > > > Checking the /etc/master.passwd file:
> > > > Login anon has no password.
> > > 
> > > I have also read security(8), and the script /usr/libexec/security
> > > itself. It seems that an exception is only ever made for the user
> > > anoncvs running anoncvssh.
> > > 
> > > 		nag $pwd eq '' && !($name eq 'anoncvs' &&
> > > 				    $shell =~ /\/anoncvssh$/),
> > > 		    "Login $name has no password.";
> > > 
> > > So, is there something special I need to do to get rid of these
> > > messages? Do I just make an ad-hoc modification of the script and wait
> > > for better times?
> > 
> > For now, either ignore the message or tweak the script. I don't know if
> > a patch to security(8) to remove this message for gotsh(1) in a similar
> > way would be accepted. Probably not at this stage.
> 
> I thought setting the password field to '*************' (13 stars) was
> one way of silencing this warning. One of useradd or adduser does this
> and the security script has a "length $pwd != 13" exemption for that
> reason.

That's partially correct. However, that only works as long as there is
an alternative login method (an SSH key, for example), but for anongot,
you need a passwordless user. The only way around I found for my mirror
was modifying /usr/libexec/security. I don't have a diff for it, but
given I don't plan to run a CVS mirror in that machine, I changed

		nag $pwd eq '' && !($name eq 'anoncvs' &&
				    $shell =~ /\/anoncvssh$/),

to

		nag $pwd eq '' && !($name eq 'anon' &&
				    $shell =~ /\/gotsh$/),