From owner-freebsd-questions@FreeBSD.ORG Wed Apr 6 18:31:15 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0896116A4CE; Wed, 6 Apr 2005 18:31:15 +0000 (GMT) Received: from prosporo.hedron.org (hedron.org [66.11.182.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BA0643D48; Wed, 6 Apr 2005 18:31:14 +0000 (GMT) (envelope-from ean@hedron.org) Received: from www.hedron.org (localhost.hedron.org [127.0.0.1]) by prosporo.hedron.org (Postfix) with ESMTP id 72714C12C; Wed, 6 Apr 2005 14:32:08 -0400 (EDT) Received: from 216.220.59.169 (SquirrelMail authenticated user ean); by www.hedron.org with HTTP; Wed, 6 Apr 2005 14:32:08 -0400 (EDT) Message-ID: <1318.216.220.59.169.1112812328.squirrel@216.220.59.169> In-Reply-To: <1112789082.28348.5.camel@mis3c.rtl.lan> References: <42531440.30103@adelphia.net> <200504051850.33281.ean@hedron.org> <1112789082.28348.5.camel@mis3c.rtl.lan> Date: Wed, 6 Apr 2005 14:32:08 -0400 (EDT) From: "Ean Kingston" To: "Jason Stewart" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: questions@freebsd.org cc: freebsd-questions@freebsd.org cc: Ean Kingston Subject: Re: suspending login X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 18:31:15 -0000 > On Tue, 2005-04-05 at 18:50 -0400, Ean Kingston wrote: >> On April 5, 2005 06:42 pm, Bob Ababurko wrote: >> > Hello all- >> > >> > I am trying to figure out how to suspend a login for a user. Do I >> have >> > to do this with password aging or is there an easier(read brute force) >> > way to disallow a user from logging in? >> >> the safest way is to set the shell to /sbin/nologin and the home >> directory >> to /nonexistant in your auth system. The latter is especially needed if >> you >> allow ssh for remote login since the public-key authentication >> mechanisms >> sometimes bypass the normal login restrictions. >> > > Am I mistaken here, or will doing that only deny the user a shell and > home directory? The user will still be able to authenticate against the > password database right? > > To the best of my knowledge the "correct" way of doing this is either > the asterisk method in the password field using vipw or the more user > friendly way of using pw(8) with the lock command. Yes, that will allow the user to authenticate against the password database but the user has no home directory and a shell that kicks the user out right away. If you change the password entry then, when you want to enable the user again, the user has to enter a new password. This way, the user keeps his/her old password. Note, the question asked for suspend, not remove. I read suspend as implying that the account may be used again. If what is wanted is a permanent removal of the user then the entire home-directory and it's contents should be removed as well. Also, a search for all files owned by that user needs to be done and those files need to be cleaned up. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/