Description of problem: What is the definition of "Login by password disabled"? Password hash field of shadow file of a new user account without password defined contains "!!" only. The user is not (and should not be) able to login with password. The status of this check item has been changed to "no" in util-linux-2.32.1-38. (https://bugzilla.redhat.com/show_bug.cgi?id=2093166) ========================= RHEL8.6: # rpm -qa | grep util-linux util-linux-2.32.1-35.el8.x86_64 # useradd test-user # grep test-user /etc/passwd test-user:x:1003:1003::/home/test-user:/bin/bash # grep test-user /etc/shadow test-user:!!:19349:0:99999:7::: # lslogins test-user Username: test-user UID: 1003 Gecos field: Home directory: /home/test-user Shell: /bin/bash No login: no Password is locked: no Password not required: no Login by password disabled: yes Primary group: test-user GID: 1003 Hushed: no Password expiration warn interval: 7 Password changed: 19:00 Maximum change time: 99999 Running processes: 0 Last logs: ===== RHEL8.7: # rpm -qa | grep util-linux util-linux-2.32.1-38.el8.x86_64 # useradd test-user # grep test-user /etc/passwd test-user:x:1004:1004::/home/test-user:/bin/bash # grep test-user /etc/shadow test-user:!!:19349:0:99999:7::: # lslogins test-user Username: test-user UID: 1004 Gecos field: Home directory: /home/test-user Shell: /bin/bash No login: no Password is locked: yes Password not required (empty): yes Login by password disabled: no Primary group: test-user GID: 1004 Hushed: no Password expiration warn interval: 7 Password changed: 10:00 Maximum change time: 99999 Running processes: 0 Last logs: ========================= Can we have a clear definition of each check items?
I'll add some details to the man page.
In the new definition: > *"Login by password disabled"*:: > 'yes' means that there is no valid password. The password hash is missing, or the hash method is unknown or contains invalid chars. This is still not clear. In below examples, two new users were created. One without password set, and the other one with password removed. - test-user1 does not have a valid password hash - test-user2's password hash is missing My interpretation is that, both should display "yes". ===================== # useradd test-user1 # useradd test-user2 # passwd -d test-user2 Removing password for user test-user2. passwd: Note: deleting a password also unlocks the password. passwd: Success # cat /etc/passwd | grep test-user test-user1:x:1003:1003::/home/test-user1:/bin/bash test-user2:x:1004:1004::/home/test-user2:/bin/bash # cat /etc/shadow | grep test-user test-user1:!!:19389:0:99999:7::: test-user2::19389:0:99999:7::: # lslogins test-user1 Username: test-user1 UID: 1003 Gecos field: Home directory: /home/test-user1 Shell: /bin/bash No login: no Password is locked: yes Password not required (empty): yes Login by password disabled: no Primary group: test-user1 GID: 1003 Hushed: no Password expiration warn interval: 7 Password changed: 10:00 Maximum change time: 99999 Running processes: 0 Last logs: # lslogins test-user2 Username: test-user2 UID: 1004 Gecos field: Home directory: /home/test-user2 Shell: /bin/bash No login: no Password is locked: no Password not required (empty): yes Login by password disabled: no Primary group: test-user2 GID: 1004 Hushed: no Password expiration warn interval: 7 Password changed: 10:00 Maximum change time: 99999 Running processes: 0 Last logs: # lslogins -V lslogins from util-linux 2.32.1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (util-linux bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3054