documentation_complete: true

title: 'Protect Accounts by Restricting Password-Based Login'

description: |-
    Conventionally, Unix shell accounts are accessed by
    providing a username and password to a login program, which tests
    these values for correctness using the <tt>/etc/passwd</tt> and
    <tt>/etc/shadow</tt> files. Password-based login is vulnerable to
    guessing of weak passwords, and to sniffing and man-in-the-middle
    attacks against passwords entered over a network or at an insecure
    console. Therefore, mechanisms for accessing accounts by entering
    usernames and passwords should be restricted to those which are
    operationally necessary.