Re: SSH ignores locked accounts

From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 11/24/03

  • Next message: Nico Kadel-Garcia: "Re: SSH ignores locked accounts" 
    Date: Mon, 24 Nov 2003 00:08:18 GMT

    In article <ULidnWwof8SrRF2iRVn-gw@comcast.com>,
    Nico Kadel-Garcia <nkadel@comcast.net> wrote:
    >
    >"Darren Tucker" <dtucker@dodgy.net.au> wrote in message
    >news:bp6gfk$21m$1@gate.dodgy.net.au...
    >> You can still get this behaviour if that's what you want, just not by
    >> locking the account.
    >>
    >> Set the passwd entry to something that isn't the lock string but isn't a
    >> valid password either. Solaris, for example, uses the literal string "NP"
    >> for "Not Participating". This is mentioned in the sshd man page.
    >
    >True! But it's information stored in a rather non-standard way. Many user
    >configuration tools use their own default string, usually "*", to lock
    >accounts. And the console "passwd" or "yppasswd" command does not usually
    >allow the use of pre-encrypted passwords, so you have to either edit
    >/etc/shadow or /etc/passwd by hand (always dangerous and prone to typos!),
    >or re-rewritng your user configuration tools to add a new "NP" option, etc.

    If you're squeamish about editing /etc/password (or shadow, or whatever)
    or can't for some reason, you could set a random password, not tell
    anyone what it is and forget it.

    I use something like this to generate random passwords I won't reuse:
    $ dd if=/dev/random bs=6 count=1 | mimencode 

    -- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
  • Next message: Nico Kadel-Garcia: "Re: SSH ignores locked accounts"

    Relevant Pages

    • RE: [Full-disclosure] Support_388945a0 account in Win XP/2003
      ... >> Also set very long random password and forget it. ... > But I heard a rumours that this account can be activated remotely ... Deleting it might cause problems "help and support" ... just deny the account all kinds of privs and it would no longer matter. ...
      (Full-Disclosure)
    • Re: [Full-disclosure] Support_388945a0 account in Win XP/2003
      ... Also set very long random password and forget it. ... But I heard a rumours that this account can be activated remotely without user's aware decision and used for Remote Assistance. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ...
      (Full-Disclosure)
    • Re: Reset password on krbtgt account?
      ... It is the service account for you Kerberos ... KDC. ... It is already a strong random password by ...
      (microsoft.public.windows.server.security)
    • Renaming the local Administrator account on Windows XP Pro
      ... the local Administrator account with a randomly generated name. ... create a random password with the following command: ... net user Administrator /random ... This will generate a random strong password for the local Administrator ...
      (microsoft.public.windowsxp.security_admin)