suspending login

[Eric McCoy]

Ean Kingston wrote:
> If you change the password entry then, when you want
> to enable the user again, the user has to enter a new password. This way,
> the user keeps his/her old password. Note, the question asked for suspend,
> not remove. I read suspend as implying that the account may be used again.

No, you don't replace the password, you just insert an invalid character 
- one which can never be the result of crypt().  That invalid character 
is typically an asterisk.  To unlock the account, you remove the 
asterisk.  It's how pw usermod -L and -U work.

For the OP, it's important to use all three approaches if your victim is 
untrustworthy.  If you change the password but nothing else he can still 
get in via SSH; if you change the shell but nothing else he can still 
get in via FTP (possibly); if you change the home directory but nothing 
else he can still get in via SSH (and mess with /tmp or /var/tmp).  So 
if you are locking out the user to preserve evidence of some misdeed, be 
sure to do all three.

If this is just a real-life buddy who's welching on some money he owes 
you, though, doing only one will probably be sufficient.  (Well, doing 
one and saying things to him like "I bought a .45 last week" and "It 
turns out that if you do enough cocaine most juries won't convict you of 
murder.")