Path: utzoo!utgpu!watmath!clyde!att!osu-cis!killer!texbell!sneaky!gordon
From: gordon@sneaky.TANDY.COM (Gordon Burditt)
Newsgroups: comp.unix.questions
Subject: Re: Comments in /etc/passwd
Summary: logins with odd chars in password field have *NO* unencrypted password
Message-ID: <6122@sneaky.TANDY.COM>
Date: 9 Jan 89 00:27:17 GMT
References: <18759@agate.BERKELEY.EDU> <9288@smoke.BRL.MIL> <17929@prls.UUCP>
Reply-To: gordon@sneaky.UUCP (Gordon Burditt)
Organization: Gordon Burditt
Lines: 37

>   The only safe way I have found to do this is by creating dummy accounts: 
>_:-            :6:6::: *************************** 
>_:-            :6:6:   * Remote System Logins::  * 
>_:-            :6:6::: ***************************
>   Every comment line contains a filled in passwd field, prehaps someone
>  very familiar with DES (I'm not at all) could figure out the "unencrypted"
>  form.

The alphabet for encrypted passwords consists of A-Z, a-z, 0-9, period, and
slash.  Anything in the password field that contains a character other
than these, or which isn't 13 characters long, doesn't have a
corresponding "unencrypted" form.  DES produces a 64-bit binary value
which crypt(3) then turns into printable form.  There is also the 12-bit 
salt.  You don't have to know anything more about DES.  The turn-to-printable 
routine divides the salt into 2 6-bit hunks and the DES value into 11 
6-bit hunks (using 2 extra dummy bits), and each hunk is represented by 
1 character, taken from the set listed above.  Crypt(3) is never going to
produce encrypted passwords containing '*', blanks, or 1-character long
encrypted passwords, so no password can ever match.

As far as login, su, etc. are concerned, this method of inserting comments
is safe.

>   Some utilities don't like seeing more than one account with the same
>  uid and gid combination. This has not been a problem at this site.

The only standard (Sys V) utilities I am familiar with that complain 
about multiple accounts with the same uid/gid combination are those 
specifically designed to do so (and their entire function is to check the 
sanity of the password and group files:  "pwcheck" and "grpcheck".
You can ignore the messages related to the comment entries unless you
have a boss that takes the messages as gospel and insists you fix
the problem.  Some systems have distributed password files with the same 
uid/gid combinations in the password file.

					Gordon L. Burditt
					...!texbell!sneaky!gordon