Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Apr 2005 14:32:08 -0400 (EDT)
From:      "Ean Kingston" <ean@hedron.org>
To:        "Jason Stewart" <jstewart@rtl.org>
Cc:        Ean Kingston <ean@hedron.org>
Subject:   Re: suspending login
Message-ID:  <1318.216.220.59.169.1112812328.squirrel@216.220.59.169>
In-Reply-To: <1112789082.28348.5.camel@mis3c.rtl.lan>
References:  <42531440.30103@adelphia.net>  <200504051850.33281.ean@hedron.org> <1112789082.28348.5.camel@mis3c.rtl.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On Tue, 2005-04-05 at 18:50 -0400, Ean Kingston wrote:
>> On April 5, 2005 06:42 pm, Bob Ababurko wrote:
>> > Hello all-
>> >
>> > I am trying to figure out how to suspend a login for a user.  Do I
>> have
>> > to do this with password aging or is there an easier(read brute force)
>> > way to disallow a user from logging in?
>>
>> the safest way is to set the shell to /sbin/nologin and the home
>> directory
>> to /nonexistant in your auth system. The latter is especially needed if
>> you
>> allow ssh for remote login since the public-key authentication
>> mechanisms
>> sometimes bypass the normal login restrictions.
>>
>
> Am I mistaken here, or will doing that only deny the user a shell and
> home directory? The user will still be able to authenticate against the
> password database right?
>
> To the best of my knowledge the "correct" way of doing this is either
> the asterisk method in the password field using vipw or the more user
> friendly way of using pw(8) with the lock command.

Yes, that will allow the user to authenticate against the password
database but the user has no home directory and a shell that kicks the
user out right away. If you change the password entry then, when you want
to enable the user again, the user has to enter a new password. This way,
the user keeps his/her old password. Note, the question asked for suspend,
not remove. I read suspend as implying that the account may be used again.

If what is wanted is a permanent removal of the user then the entire
home-directory and it's contents should be removed as well. Also, a search
for all files owned by that user needs to be done and those files need to
be  cleaned up.

-- 
Ean Kingston
    E-Mail: ean_AT_hedron_DOT_org
 PGP KeyID: 1024D/CBC5D6BB
       URL: http://www.hedron.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1318.216.220.59.169.1112812328.squirrel>