RE: Lock Account

From: Parsons, Rick (rick.parsons@eds.com)
Date: 02/21/03

  • Next message: Graeme Vetterlein: "scp2 f-secure ssh communications ssh2 sftp scp1"
    From: "Parsons, Rick" <rick.parsons@eds.com>
    To: "SecureShell (E-mail)" <secureshell@securityfocus.com>
    Date: Fri, 21 Feb 2003 11:46:20 -0000
    
    

    Miguel said ...

    If you want to disable a user temporaly you can add an asterisk (*) before
    the corresponding entry
    of that
    user in the /etc/passwd file:

    before:

     miguel:x:500:500:miguel gonzalez:/home/miguel:/bin/bash

     *miguel:x:500:500:miguel gonzalez:/home/miguel:/bin/bash

     HTH

     Miguel

    ... this is a very dangerous MYTH. It does not disable the account (there is
    no comment structure for the passwd file), all it does is change the name of
    it. So, although the user can no longer log into to the "miguel" account,
    they could log into one called "*miguel". It is true that in this particular
    case, the system seems to be using a shadow password file and the
    corresponding shadow entry has not been renamed, hence the login would fail,
    but in the general case this may not be true - it depends on your system.
    Another drawback to this method is that now all the files that were
    previously owned by "miguel" are now owned by "*miguel", potentially
    creating confusion.

    Depending on the password management system on your system, there are
    betters ways to disable accounts. On a traditional unix system using 13
    character password hashes, an effective way is to insert the "*" onto the
    front of the hashed passwd making it 14 characters and containing an invalid
    character. No login will succeed but all other services function as normal

    Rick Parsons

    Bristol, England



    Relevant Pages