Re: SSH ignores locked accounts

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 11/23/03


Date: Sun, 23 Nov 2003 10:58:40 -0500


"Darren Tucker" <dtucker@dodgy.net.au> wrote in message
news:bp6gfk$21m$1@gate.dodgy.net.au...
> In article <k5adnXSf1IAtoCuiRVn-jA@comcast.com>,
> Nico Kadel-Garcia <nkadel@comcast.net> wrote:
> >> [about sshd honouring locked accounts]
> >
> >In many environments, this "insecurity" is a very big feature. By forcing
> >the remote users to use SSH key access rather than password based access,
it
> >allows a very fine grade of control over who has access to the account in
> >question.
>
> You can still get this behaviour if that's what you want, just not by
> locking the account.
>
> Set the passwd entry to something that isn't the lock string but isn't a
> valid password either. Solaris, for example, uses the literal string "NP"
> for "Not Participating". This is mentioned in the sshd man page.

True! But it's information stored in a rather non-standard way. Many user
configuration tools use their own default string, usually "*", to lock
accounts. And the console "passwd" or "yppasswd" command does not usually
allow the use of pre-encrypted passwords, so you have to either edit
/etc/shadow or /etc/passwd by hand (always dangerous and prone to typos!),
or re-rewritng your user configuration tools to add a new "NP" option, etc.

I'm just saying it's adding an additional password option in a non-standard
way that takes some extra maintenance by your admins.



Relevant Pages

  • Re: Hide Admin Account at Welcome screen but still log on to it???
    ... That option has been removed in Vista. ... on with user name and password option. ... -Have an admin account not visible at the Welcome screen, ... CTRL-ALT-DEL to the classic logon if the user got themselves locked ...
    (microsoft.public.windows.vista.administration_accounts_passwords)
  • Re: Outlook Express
    ... an account on OE6 but cannot add another account for my wife. ... particulars to re-enter but all fails. ... Also I clicked on the Remember my password option in the accounts ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • RE: No password removal option
    ... click on Screen Saver tab. ... windows it also has the password option which he doesn't want. ... into control panel and then user option there is no option to remove the ... can't delete it off of the account. ...
    (microsoft.public.windowsxp.help_and_support)