Re: SSH ignores locked accounts
From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: Sun, 23 Nov 2003 10:58:40 -0500
"Darren Tucker" <email@example.com> wrote in message
> In article <k5adnXSf1IAtoCuiRVn-jA@comcast.com>,
> Nico Kadel-Garcia <firstname.lastname@example.org> wrote:
> >> [about sshd honouring locked accounts]
> >In many environments, this "insecurity" is a very big feature. By forcing
> >the remote users to use SSH key access rather than password based access,
> >allows a very fine grade of control over who has access to the account in
> You can still get this behaviour if that's what you want, just not by
> locking the account.
> Set the passwd entry to something that isn't the lock string but isn't a
> valid password either. Solaris, for example, uses the literal string "NP"
> for "Not Participating". This is mentioned in the sshd man page.
True! But it's information stored in a rather non-standard way. Many user
configuration tools use their own default string, usually "*", to lock
accounts. And the console "passwd" or "yppasswd" command does not usually
allow the use of pre-encrypted passwords, so you have to either edit
/etc/shadow or /etc/passwd by hand (always dangerous and prone to typos!),
or re-rewritng your user configuration tools to add a new "NP" option, etc.
I'm just saying it's adding an additional password option in a non-standard
way that takes some extra maintenance by your admins.