Re: SSH ignores locked accounts
From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: Mon, 24 Nov 2003 00:08:18 GMT
In article <ULidnWwof8SrRF2iRVnemail@example.com>,
Nico Kadel-Garcia <firstname.lastname@example.org> wrote:
>"Darren Tucker" <email@example.com> wrote in message
>> You can still get this behaviour if that's what you want, just not by
>> locking the account.
>> Set the passwd entry to something that isn't the lock string but isn't a
>> valid password either. Solaris, for example, uses the literal string "NP"
>> for "Not Participating". This is mentioned in the sshd man page.
>True! But it's information stored in a rather non-standard way. Many user
>configuration tools use their own default string, usually "*", to lock
>accounts. And the console "passwd" or "yppasswd" command does not usually
>allow the use of pre-encrypted passwords, so you have to either edit
>/etc/shadow or /etc/passwd by hand (always dangerous and prone to typos!),
>or re-rewritng your user configuration tools to add a new "NP" option, etc.
If you're squeamish about editing /etc/password (or shadow, or whatever)
or can't for some reason, you could set a random password, not tell
anyone what it is and forget it.
I use something like this to generate random passwords I won't reuse:
$ dd if=/dev/random bs=6 count=1 | mimencode
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.