0

For only academic purposes I am doing a research about the usermod command working with the -p or --password option:

Through man usermod exists:

-p, --password PASSWORD
The encrypted password, as returned by crypt(3).

Note: This option is not recommended because the password
(or encrypted password) will be visible by users listing the
processes.

The password will be written in the local /etc/passwd or /etc/shadow file.
This might differ from the password database configured in your PAM configuration.

You should make sure the password respects the system's password policy.

I know that the following two commands are the same

sudo usermod -p  rodimus_prime  rodimusprime-disabledlogin
sudo usermod -p 'rodimus_prime' rodimusprime-disabledlogin

Is reflected as:

sudo cat /etc/shadow | grep prime
rodimusprime-disabledlogin:rodimus_prime:19838:0:99999:7:::

Theoretically it is a plain password but it is not correct, is expected from the beginning an encrypted password instead. Therefore the correct approach would be:

sudo usermod --password $(openssl passwd    <plainpasswordtext>) rodimusprime-disabledlogin
sudo usermod --password $(openssl passwd -1 <plainpasswordtext>) rodimusprime-disabledlogin

Now, the reason of this question, the following note

Note: This option is not recommended because the password
(or encrypted password) will be visible by users listing the
processes.

If is executed the sudo cat /etc/shadow | grep usernamepattern command then is listed each user according the matched pattern with his respective encrypted password. It as expected. Therefore according with the mentioned special note: even if is visible the password: Is it encrypted, right? So:

Question

  • Why exactly usermod -p command is not recommended?
Improve this question
5
  • 2
    As man say's: because the password (or encrypted password) will be visible by users listing the processes.
    – Soren A
    Commented Apr 25 at 17:18
  • One of the ps options is to list command lines.
    – ubfan1
    Commented Apr 25 at 21:08
  • With what kind of command(s) would be possible generate that scenario?. I want see explicitly the difference against any password generated with the passwd command instead. Anyway both kind of generated encrypted passwords through either passwd and usermod command appears through sudo cat /etc/shadow
    – Manuel Jordan
    Commented Apr 25 at 21:10
  • 1
    ... try running the examples you give with shell debugging enabled using set -x: you will see that your interactive shell runs $(openssl passwd -1 <plainpasswordtext>) and then runs sudo usermod -p with the resulting encrypted (really hashed) string. Anyone who manages to snoop on your - unprivileged - terminal session (or read /var/log/auth.log i.e. all members of the adm group) will be able to see it.
    – steeldriver
    Commented Apr 25 at 21:15
  • @steeldriver thanks, I will do a research and testing about that. Now is more clear the "dangerous" scenarios
    – Manuel Jordan
    Commented Apr 25 at 21:17

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .