Re: Lock Account

> > If you want to disable a user temporaly you can add an asterisk (*) before
...
>
> ... this is a very dangerous MYTH. It does not disable the account (there is
...

However if you prepend with "-" that will disable the account on many unix variants by abusing an NIS trick. (You dictate which NIS accounts or groups to not include by using -name entries.)

Try it out:

$ tail -1 /etc/passwd
badguy:x:1000:1000:Some bad user:/home/badguy:/bin/sh

$ perl -e 'while (($username)=getpwent()) { print " $username\n"; }' | grep badguy badguy

# vi /etc/passwd
 (prepend '-')

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

$ tail -1 /etc/passwd
-badguy:x:1000:1000:Some bad user:/home/badguy:/bin/sh

$ perl -e 'while (($username)=getpwent()) { print " $username\n"; }' | grep badguy $

> Depending on the password management system on your system, there are

Still doesn't work if the user has alternate authentication methods, such as SSH identities, which do not require valid /etc/shadow entries. Better to remove the whole account by editing /etc/passwd.

--
Brian Hatch                  Ever wonder what the
   Systems and                speed of lightning
   Security Engineer          would be if it
www.hackinglinuxexposed.com   didn't zigzag?

Every message PGP signed