`adduser --disabled-login`有什么作用?

16

我要遵循的安装文档指示添加用户,如下所示: 

sudo adduser --disabled-login --gecos 'GitLab' git

--disabled-login我搜索过的大多数手册页中都没有该标志。

我有两个用户,一个带有--disabled-loginfoo),一个没有(git)。

据我所知,--disabled-login国旗没有任何作用。我仍然su可以同时向两个用户使用,并且都可以/bin/bash用作他们的登录外壳。

我唯一看到的区别是getent passwd禁用登录的用户的home文件夹之前有多余的逗号。有没有文件,我可以找到,表示什么这意味着。

root@gitlab:~# getent passwd git
git:x:998:998:GitLab:/home/git:/bin/bash  

root@gitlab:~# getent passwd foo
foo:x:1001:1002:GitLab,,,:/home/foo:/bin/bash

更新#1

我发现了另一个区别,一个用户*的密码为,另一个用户的密码为!

root@gitlab:~# getent shadow git
git:*:15998::::::
root@gitlab:~# getent shadow foo
foo:!:15998:0:99999:7:::

--disabled-login在Ubuntu上到底能做什么?

useradd 
ud子
source
作为记录,多余的逗号分隔“ gecos”字段中的字段:全名,房间号,工作电话,家庭电话。我不知道为什么它们会出现在一个版本中,而不会出现在另一个版本中。您可以在chfn工具的手册页中找到有关此文档的信息。
2013年
那讲得通。当我添加一个用户时,在提示输入该信息时,我不小心选择了“ y”。通过木偶添加了另一个用户。
13年

Answers:

17

解释没有很好的记录。

--disabled-login将密码设置为 !

密码值

NP or null = The account has no password
*  = The account is deactivated & locked
!  = The login is deactivated, user will be unable to login
!!  = The password has expired

例子

root@gitlab:~# getent shadow vagrant
vagrant:$6$abcdefghijklmnopqrstuvwxyz/:15805:0:99999:7:::

root@gitlab:~# getent shadow foo
foo:!:15998:0:99999:7:::

root@gitlab:~# getent shadow git
git:*:15998::::::

维基百科对此进行了简要介绍。似乎*和!有效地做同样的事情;阻止用户登录(但不能阻止其他用户起诉)

ud子
source
3

shadow手册页中对此进行了部分讨论。

摘抄

$ man shadow
...
...
encrypted password
     Refer to crypt(3) for details on how this string is interpreted.

     If the password field contains some string that is not a valid result of 
     crypt(3), for instance ! or *, the user will not be able to use a unix
     password to log in (but the user may log in the system by other means).

     This field may be empty, in which case no passwords are required to 
     authenticate as the specified login name. However, some applications which
     read the /etc/shadow file may decide not to permit any access at all if the
     password field is empty.

     A password field which starts with a exclamation mark means that the 
     password is locked. The remaining characters on the line represent the 
     password field before the password was locked.

adduser此引用的手册页取决于您的手册页版本。

摘录adduser手册页

--disabled-login
       Do  not  run passwd to set the password.  The user won't be able
       to use her account until the password is set.

--disabled-password
       Like --disabled-login, but logins are still possible (for  exam-
       ple using SSH RSA keys) but not using password authentication.
slm
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.