Re: SSH ignores locked accounts

From: Nico Kadel-Garcia (
Date: 11/23/03

Date: Sun, 23 Nov 2003 10:58:40 -0500

"Darren Tucker" <> wrote in message
> In article <>,
> Nico Kadel-Garcia <> wrote:
> >> [about sshd honouring locked accounts]
> >
> >In many environments, this "insecurity" is a very big feature. By forcing
> >the remote users to use SSH key access rather than password based access,
> >allows a very fine grade of control over who has access to the account in
> >question.
> You can still get this behaviour if that's what you want, just not by
> locking the account.
> Set the passwd entry to something that isn't the lock string but isn't a
> valid password either. Solaris, for example, uses the literal string "NP"
> for "Not Participating". This is mentioned in the sshd man page.

True! But it's information stored in a rather non-standard way. Many user
configuration tools use their own default string, usually "*", to lock
accounts. And the console "passwd" or "yppasswd" command does not usually
allow the use of pre-encrypted passwords, so you have to either edit
/etc/shadow or /etc/passwd by hand (always dangerous and prone to typos!),
or re-rewritng your user configuration tools to add a new "NP" option, etc.

I'm just saying it's adding an additional password option in a non-standard
way that takes some extra maintenance by your admins.