suspending login
Ean Kingston
ean at hedron.org
Thu Apr 7 12:19:41 PDT 2005
> Ean Kingston wrote:
>> If you change the password entry then, when you want
>> to enable the user again, the user has to enter a new password. This
>> way,
>> the user keeps his/her old password. Note, the question asked for
>> suspend,
>> not remove. I read suspend as implying that the account may be used
>> again.
>
> No, you don't replace the password, you just insert an invalid character
> - one which can never be the result of crypt(). That invalid character
> is typically an asterisk. To unlock the account, you remove the
> asterisk. It's how pw usermod -L and -U work.
I hadn't considered that. I will be doing that from now on. Thanks.
> For the OP, it's important to use all three approaches if your victim is
> untrustworthy. If you change the password but nothing else he can still
> get in via SSH; if you change the shell but nothing else he can still
> get in via FTP (possibly); if you change the home directory but nothing
> else he can still get in via SSH (and mess with /tmp or /var/tmp). So
> if you are locking out the user to preserve evidence of some misdeed, be
> sure to do all three.
>
> If this is just a real-life buddy who's welching on some money he owes
> you, though, doing only one will probably be sufficient. (Well, doing
> one and saying things to him like "I bought a .45 last week" and "It
> turns out that if you do enough cocaine most juries won't convict you of
> murder.")
I hadn't thought of that either.
--
Ean Kingston
E-Mail: ean_AT_hedron_DOT_org
PGP KeyID: 1024D/CBC5D6BB
URL: http://www.hedron.org/
More information about the freebsd-questions
mailing list