Locking accounts (was Re: What does '*' symbol in /etc/passwd means?)
Charles H. Buchholtz
chip at pender.ee.upenn.edu
Fri Jun 7 00:35:07 AEST 1991
In article <44240 at netnews.upenn.edu> george at mech.seas.upenn.edu writes:
>:I've heard the practice of replacing this field with an '*' as 'starring-out'
>:the password, making it impossible for someone to login to that ID since the
>:password encryption mechanism is guaranteed to fail. I've routinely made
>:this field "*LOCKED*" or "*NO LOGIN*" to achieve the same purpose.
>
>of interest.. no entry in the password field ( "*", null, random characters )
>"locks" the account if the user has enabled no-password rlogin via a .rlogin
>entry. I suppose this is obvious, but I had to try it to find out.
>
>In this case you can lock the user out by corrupting his home directory entry
>as well as his password.
I've frequently logged in with a corrupted home directory entry in the
passwd file. I get a message "No home directory! Using / for home!"
or some such. You're right about rlogin, though.
When I want to lock an account I change the shell to something that
will print out an explanation. This is nicer for the person being
locked out. It also prevents login, rlogin, telnet, , rsh, and ftp
(because the shell is not listed in /etc/shells).
I haven't found any way to get past this, it causes less confusion
(the lockee doesn't think they forgot their password, they know
exactly what happened), and four months later when you are trying to
figure out why this account is locked, you can just run the shell and
read the message. If you're in a hurry, you can use /bin/true for the
shell.
Charles H. Buchholtz chip at ee.upenn.edu
Systems Programmer Electrical Engineering
University of Pennsylvania.
More information about the Comp.unix.questions
mailing list