Do not use blank lines in /etc/pass

[kenny at uiucdcsb.cs.uiuc.edu]

/* Written 7:36 pm Oct 24, 1986 by eric at cti.UUCP in uiucdcsb:net.unix-wizards */ 
[ ... ]

>There is always an amount of turnover at universities and companies, and
>user accounts need to be zapped and/or de-activated.  Many times, however,
>the *files* owned by those folks, in those directories, want to remain;
>there are also occasions where it is desirable to temporarily prevent a user
>or account from logging in.  A superuser (or adequately privileged user) can
>zap the user's password, either with the passwd command or by editing the
>/etc/passwd file, but since there is "no" way to determine a user's password
>from the encrypted form in /etc/passwd, it's hard to set it back.

>A convenient method is to edit the passwd file and insert some character
>at the beginning of the password string.  I like to use '%', because it is
>one of the characters that is never generated in an encryption string and
>is easy to find and edit out later.  A password can NEVER be entered which
>matches the user's (new) password, preventing logins (and su's other than
>by root), yet it is easy to give that person his/her password back.

>Eric Black   "Garbage In, Gospel Out"

The method we use here is to add a program, /usr/local/shZAPPED, which
prints a message indicating that one's account has been deactivated and
terminates.  Changing the user's shell to be this program forbids logging in
but does nothing to the files, account name, OR password.

Kevin Kenny			UUCP: {ihnp4,pur-ee,convex}!uiucdcs!kenny
Department of Computer Science	ARPA: kenny at B.CS.UIUC.EDU (kenny at UIUC.ARPA)
University of Illinois		CSNET: kenny at UIUC.CSNET
1304 W. Springfield Ave.
Urbana, Illinois, 61801		Voice: (217) 333-7980