Setting user password to invalid one?

Question

Level 1

0 points

Setting user password to invalid one?

I'd like to create a "system" user using command line and set its password to such that cannot be typed in.

I found multiple pointers about using "dscl" and manage to create a hidden user, but I'd like to make it impossible to login to the user no matter what.

I already set it as a "Hidden" user, but this only hides him from the login screen, not from ssh, is it?

The motivation is that this is a "System" account (specifically, I intend it solely to own the Homebrew command) which should never, ever be logged in to.

In Linux(/Unix) there is the option to simply set the password in the /etc/shadow file to something that's not a possible output of the password hash (e.g. the literal "*" or "!"), therefore making it impossible to type any string which will let the user in.

Is this possible through command line on OS X (El Capitan)?

OS X El Capitan (10.11)

Posted on Mar 17, 2016 6:37 PM

Reply

Answer 1

BobHarris

Level 9

53,003 points

Mar 17, 2016 7:57 PM in response to syamos

Some ideas

vipw(8)

- edit the password file

Create an impossibly password to remember and thus enter. Something very long with lots of random characters, or maybe use 'makekey' or get something from a web site, or grab some values from

cat /dev/random | hexdump

Reply

Answer 2

syamos Author

Level 1

0 points

Mar 17, 2016 9:12 PM in response to BobHarris

Thanks but these won't do:

1. vipw edits a file which is only consulted in single-user mode (according to the comment at the top of the file - /etc/master.passwd).

2. The file vipw edits does not contain the password hashes

3. Even with a random password the account is still theoretically exposed to brute-force attack.

Reply

Answer 3

Linc Davis

Level 10

209,541 points

Mar 18, 2016 6:18 AM in response to syamos

Set the password to "*" (without the quotes) in Directory Utility.

Reply

Answer 4

BobHarris

Level 9

53,003 points

Mar 18, 2016 6:24 AM in response to syamos

Update: Apparently Linc and I were responding at about the same time, and Linc has a better answer.

A sufficiently long key will be next to impossible to brute force crack

<https://www.grc.com/haystack.htm>

You could see if you can figure out how the 'root' account is disabled for normal logins, but still exists.

dcsl . -read /Users/root

vs

dscl . -read /Users/

Then see if you can find something via Google about dscl that will explain how the 'root' account is disabled for normal logins.

Reply

Answer 5

BobHarris

Level 9

53,003 points

Mar 18, 2016 6:32 AM in response to syamos

Filling in a few details to Linc Davis' post.

Directory Utility is buried in in coreservices. The easiest way to launch it is via Spotlight Command-Space "Directory Utility"

You unlock the padlock on the lower left

Select "Directory Editor" tab

search for the account to give invalid password

Select the Password field

In the bottom right box, enter the * as suggested by Linc

Click save

Test test test this on an account you can throw away if something goes wrong before applying it to an account you have spent a lot of time getting just right.

Reply