Re: Lock Account

From: Brian Hatch (secure-shell@ifokr.org)
Date: 02/21/03

  • Next message: Stanislas Rusinsky: "SSH unable to read my keys" 
    Date: Fri, 21 Feb 2003 11:12:46 -0800
From: Brian Hatch <secure-shell@ifokr.org>
To: "Parsons, Rick" <rick.parsons@eds.com>

    > > If you want to disable a user temporaly you can add an asterisk (*) before
    > > the corresponding entry
    > > of that
    > > user in the /etc/passwd file:
    ...
    >
    > ... this is a very dangerous MYTH. It does not disable the account (there is
    > no comment structure for the passwd file), all it does is change the name of
    > it. So, although the user can no longer log into to the "miguel" account,
    > they could log into one called "*miguel".
    ...

    However if you prepend with "-" that will disable the account on many
    unix variants by abusing an NIS trick. (You dictate which NIS accounts
    or groups to not include by using -name entries.)

    Try it out:

    $ tail -1 /etc/passwd
    badguy:x:1000:1000:Some bad user:/home/badguy:/bin/sh

    $ perl -e 'while (($username)=getpwent()) { print " $username\n"; }' | grep badguy
    badguy

    # vi /etc/passwd
     (prepend '-')

    $ tail -1 /etc/passwd
    -badguy:x:1000:1000:Some bad user:/home/badguy:/bin/sh

    $ perl -e 'while (($username)=getpwent()) { print " $username\n"; }' | grep badguy
    $

    > Depending on the password management system on your system, there are
    > betters ways to disable accounts. On a traditional unix system using 13
    > character password hashes, an effective way is to insert the "*" onto the
    > front of the hashed passwd making it 14 characters and containing an invalid
    > character. No login will succeed but all other services function as normal

    Still doesn't work if the user has alternate authentication methods, such as
    SSH identities, which do not require valid /etc/shadow entries. Better
    to remove the whole account by editing /etc/passwd. 

    --
Brian Hatch                  Ever wonder what the
   Systems and                speed of lightning
   Security Engineer          would be if it
www.hackinglinuxexposed.com   didn't zigzag?
Every message PGP signed

    Relevant Pages

    • Re: PING: Former AGDers
      ... She has been a pretty decent D2 player and has some ... Remember, if the wife gets addicted, you can register another account ... what would be the ideal characters for me and her to try to ... if you want to discover the teamplay fast, go build a druid, you'll be ...
      (alt.games.warcraft)
    • Re: Account hacked
      ... Two of his most senior characters, a 70 Druid and a 66 Warrior ... most account hacks to my knowledge involved the person ... to steal an ATM by chaining it to the bumper of their truck. ... off...leaving their bumper with the license plate on it chained to the ...
      (alt.games.warcraft)
    • Re: What is the maximal length of usernames on Solaris?
      ... > characters is limiting to some users. ... >> It is quite common for users to want a shorter login ... can't have a name that's already taken, and nobody has to have meetings ... appeared as part of an account name. ...
      (comp.sys.sun.admin)
    • Re: Tough password question!
      ... w2k/wxp/w2k3 support pwds up to 128 characters ... it will not login when the admin ... >>> account and it will login if I change the domain admin password to ... >>> on a normal user account, or even another domain admin. ...
      (microsoft.public.windows.server.active_directory)
    • Re: User Accounts
      ... Change the name of the account. ... hackers as a means of getting a foothold into your system. ... using all upper case or all lower case letters. ... It should contain at least eight characters. ...
      (microsoft.public.windowsxp.help_and_support)