suspending login
Eric McCoy
emccoy at haystacks.org
Thu Apr 7 06:48:33 PDT 2005
Ean Kingston wrote:
> If you change the password entry then, when you want
> to enable the user again, the user has to enter a new password. This way,
> the user keeps his/her old password. Note, the question asked for suspend,
> not remove. I read suspend as implying that the account may be used again.
No, you don't replace the password, you just insert an invalid character
- one which can never be the result of crypt(). That invalid character
is typically an asterisk. To unlock the account, you remove the
asterisk. It's how pw usermod -L and -U work.
For the OP, it's important to use all three approaches if your victim is
untrustworthy. If you change the password but nothing else he can still
get in via SSH; if you change the shell but nothing else he can still
get in via FTP (possibly); if you change the home directory but nothing
else he can still get in via SSH (and mess with /tmp or /var/tmp). So
if you are locking out the user to preserve evidence of some misdeed, be
sure to do all three.
If this is just a real-life buddy who's welching on some money he owes
you, though, doing only one will probably be sufficient. (Well, doing
one and saying things to him like "I bought a .45 last week" and "It
turns out that if you do enough cocaine most juries won't convict you of
murder.")
More information about the freebsd-questions
mailing list