Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secureshell > 03 > 020426.html (Request Expert securityfocus.com Support)

RE: Lock Account

From: Parsons, Rick <rick.parsons(at)eds.com>
Date: Fri Feb 21 2003 - 06:46:20 EST


Miguel said ...

If you want to disable a user temporaly you can add an asterisk (*) before the corresponding entry
of that
user in the /etc/passwd file:

before:

 miguel:x:500:500:miguel gonzalez:/home/miguel:/bin/bash

 *miguel:x:500:500:miguel gonzalez:/home/miguel:/bin/bash

 HTH  Miguel

... this is a very dangerous MYTH. It does not disable the account (there is no comment structure for the passwd file), all it does is change the name of it. So, although the user can no longer log into to the "miguel" account, they could log into one called "*miguel". It is true that in this particular case, the system seems to be using a shadow password file and the corresponding shadow entry has not been renamed, hence the login would fail, but in the general case this may not be true - it depends on your system. Another drawback to this method is that now all the files that were previously owned by "miguel" are now owned by "*miguel", potentially creating confusion.

Depending on the password management system on your system, there are betters ways to disable accounts. On a traditional unix system using 13 character password hashes, an effective way is to insert the "*" onto the front of the hashed passwd making it 14 characters and containing an invalid character. No login will succeed but all other services function as normal

Do you need help?X

Rick Parsons

Bristol, England Received on Fri Feb 21 12:27:24 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:54 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library