From: Alexander Arkhipov Subject: Re: anonymous gotsh user's password entry and security(8) To: gameoftrees@openbsd.org Date: Thu, 15 Jun 2023 18:05:42 +0300 Theo Buehler writes: > On Wed, Jun 14, 2023 at 05:06:00PM +0000, Lucas wrote: > > Theo Buehler wrote: > > > On Wed, Jun 14, 2023 at 06:24:00PM +0200, Stefan Sperling wrote: > > > > On Wed, Jun 14, 2023 at 05:39:28PM +0300, Alexander Arkhipov wrote: > > > > > Sorry if that's been asked before: I've read the gotd(8), gotsh(1) and > > > > > got.conf(5) man pages, and searched through the list, but can't find the > > > > > information. > > > > > > > > > > I have anonymous gotd set up on an OpenBSD box. The password entry looks > > > > > like this: > > > > > > > > > > anon::1006:1006::0:0:Anon:/var/empty:/usr/local/bin/gotsh > > > > > > > > > > However, I get daily messages to my mail like so: > > > > > > > > > > > Running security(8): > > > > > > > > > > > > Checking the /etc/master.passwd file: > > > > > > Login anon has no password. > > > > > > > > > > I have also read security(8), and the script /usr/libexec/security > > > > > itself. It seems that an exception is only ever made for the user > > > > > anoncvs running anoncvssh. > > > > > > > > > > nag $pwd eq '' && !($name eq 'anoncvs' && > > > > > $shell =~ /\/anoncvssh$/), > > > > > "Login $name has no password."; > > > > > > > > > > So, is there something special I need to do to get rid of these > > > > > messages? Do I just make an ad-hoc modification of the script and wait > > > > > for better times? > > > > > > > > For now, either ignore the message or tweak the script. I don't know if > > > > a patch to security(8) to remove this message for gotsh(1) in a similar > > > > way would be accepted. Probably not at this stage. > > > > > > I thought setting the password field to '*************' (13 stars) was > > > one way of silencing this warning. One of useradd or adduser does this > > > and the security script has a "length $pwd != 13" exemption for that > > > reason. > > > > That's partially correct. However, that only works as long as there is > > an alternative login method (an SSH key, for example), but for anongot, > > you need a passwordless user. > > Right, the 13 stars don't work in that situation. However, using an > empty password does seem to work although I haven't tested it with gotsh: > > $ encrypt '' I recently switched my mail client, and accidentally sent my last message only to tb@, sorry. Here's the original message: > Oh, right, somehow the thought of running encrypt with an empty string > never occured to me. Thanks, works like a charm! > > Alexander And here's a diff adding the information to the gotsh(1) man page: diff /home/aa/ar/got commit - 1f8d584437c06db990ac352cce06402c80b1f6a4 path + /home/aa/ar/got blob - 6388edcc1cf538c87de0145789b59d6972dec668 file + gotsh/gotsh.1 --- gotsh/gotsh.1 +++ gotsh/gotsh.1 @@ -130,6 +130,24 @@ Use of an empty password must be explicitly allowed in anonymous::1002:1002::0:0:Anonymous:/home/anonymous:/usr/local/bin/gotsh .Ed .Pp +On +.Ox +the command +.Xr encrypt 1 +can be used with an empty string: +.Bd -literal +$ encrypt '' +.Ed +.Pp +and the password entry can instead look like this example: +.Bd -literal +anonymous::1002:1002::0:0:Anonymous:/home/anonymous:/usr/local/bin/gotsh +.Ed +.Pp +This method has the advantage that +.Xr security 8 +will not consider the user's password to be empty. +.Pp Use of an empty password must be explicitly allowed in .Xr sshd_config 5 : .Bd -literal -offset indent