useradd not encrypting passwords in /etc/shadow

I stumbled accross this problem when trying to create new FTP users for vsftpd. Upon creating a new user with the following command and attempting login with FileZilla, I would get an "incorrect password" error.

useradd f -p pass -d /home/f -s /bin/false

After doing this, /etc/shadow contains

f:pass:1111:0:99:2:::

Once I run the following command and provide the same pass pass

passwd f

/etc/shadow contains

f:$1$U1c5vVwg$x5TVDDDmhi0a7RWFer6Jn1:1111:0:99:2:::

It appears that encryption happens when I run passwd, but doesn't upon useradd

Importantly after doing this, I am able to login to FTP with the exact same credentials.

I am using CentOS 5.11, vsftpd for FTP, and FileZilla for FTP Access

/var/log/secure contains:

Dec 17 useradd[644]: new group: name=f, GID=511
Dec 17 useradd[644]: new user: name=f, UID=511, GID=511, home=/home/f, shell=/bin/false

Why does it not work when I pass -p pass to useradd? What do I need to do to make it work?


That is working as intended. If you want to set a password using the useradd command, you are supposed to give a hashed version of the password to useradd.

The string pass does satisfy the format criteria for the hashed password field in /etc/shadow, but no actual password hashes to that string. The result is that for all intents and purposes, that account will behave as having a password, but any password you try to use to access it will be rejected as not being the correct password.

See man useradd or the useradd documentation:

-p, --password PASSWORD

The encrypted password, as returned by crypt(3). The default is to disable the password.

Note: This option is not recommended because the password (or encrypted password) will be visible by users listing the processes.

You should make sure the password respects the system's password policy.


manuseradd:

   -p, --password PASSWORD
       The encrypted password, as returned by crypt(3). The default is to
       disable the password.

You are supposed to pass a hashed password to it.
Not a plaintext password.