syamos

Q: Setting user password to invalid one?

I'd like to create a "system" user using command line and set its password to such that cannot be typed in.

 

I found multiple pointers about using "dscl" and manage to create a hidden user, but I'd like to make it impossible to login to the user no matter what.

 

I already set it as a "Hidden" user, but this only hides him from the login screen, not from ssh, is it?

 

The motivation is that this is a "System" account (specifically, I intend it solely to own the Homebrew command) which should never, ever be logged in to.

 

In Linux(/Unix) there is the option to simply set the password in the /etc/shadow file to something that's not a possible output of the password hash (e.g. the literal "*" or "!"), therefore making it impossible to type any string which will let the user in.

 

Is this possible through command line on OS X (El Capitan)?

OS X El Capitan (10.11)

Posted on Mar 17, 2016 6:37 PM

Close

Q: Setting user password to invalid one?

  • All replies
  • Helpful answers

  • by BobHarris,

    BobHarris BobHarris Mar 17, 2016 7:57 PM in response to syamos
    Level 6 (19,272 points)
    Mac OS X
    Mar 17, 2016 7:57 PM in response to syamos

    Some ideas

     

    vipw(8)              - edit the password file

     

    Create an impossibly password to remember and thus enter.  Something very long with lots of random characters, or maybe use 'makekey' or get something from a web site, or grab some values from

    cat /dev/random | hexdump

  • by syamos,

    syamos syamos Mar 17, 2016 9:12 PM in response to BobHarris
    Level 1 (0 points)
    Mar 17, 2016 9:12 PM in response to BobHarris

    Thanks but these won't do:

     

    1. vipw edits a file which is only consulted in single-user mode (according to the comment at the top of the file - /etc/master.passwd).

    2. The file vipw edits does not contain the password hashes

    3. Even with a random password the account is still theoretically exposed to brute-force attack.

  • by Linc Davis,

    Linc Davis Linc Davis Mar 18, 2016 6:18 AM in response to syamos
    Level 10 (207,926 points)
    Applications
    Mar 18, 2016 6:18 AM in response to syamos

    Set the password to "*" (without the quotes) in Directory Utility.

  • by BobHarris,

    BobHarris BobHarris Mar 18, 2016 6:24 AM in response to syamos
    Level 6 (19,272 points)
    Mac OS X
    Mar 18, 2016 6:24 AM in response to syamos

    Update:  Apparently Linc and I were responding at about the same time, and Linc has a better answer.

     

    A sufficiently long key will be next to impossible to brute force crack

    You could see if you can figure out how the 'root' account is disabled for normal logins, but still exists.
    dcsl . -read /Users/root
    vs
    dscl . -read /Users/<your_testing_account_name_here>
    Then see if you can find something via Google about dscl that will explain how the 'root' account is disabled for normal logins.

     

  • by BobHarris,

    BobHarris BobHarris Mar 18, 2016 6:32 AM in response to syamos
    Level 6 (19,272 points)
    Mac OS X
    Mar 18, 2016 6:32 AM in response to syamos

    Filling in a few details to ' post.

     

    Directory Utility is buried in in coreservices.  The easiest way to launch it is via Spotlight Command-Space "Directory Utility"

    You unlock the padlock on the lower left

    Select "Directory Editor" tab

    search for the account to give invalid password

    Select the Password field

    In the bottom right box, enter the * as suggested by Linc

    Click save

     

    Test test test this on an account you can throw away if something goes wrong before applying it to an account you have spent a lot of time getting just right.