From owner-freebsd-questions@FreeBSD.ORG  Wed Apr  6 12:03:28 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 03B6E16A4CE; Wed,  6 Apr 2005 12:03:28 +0000 (GMT)
Received: from mail.rtl.org (rtl-3.i2k.com [66.255.200.207])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9535443D45; Wed,  6 Apr 2005 12:03:27 +0000 (GMT)
	(envelope-from jstewart@rtl.org)
Received: from mis3c.rtl.lan (rtl-2.i2k.com [66.255.200.206])
	by mail.rtl.org (Postfix) with ESMTP id BD0B530AB4;
	Wed,  6 Apr 2005 08:01:10 -0400 (EDT)
From: Jason Stewart <jstewart@rtl.org>
To: Ean Kingston <ean@hedron.org>
In-Reply-To: <200504051850.33281.ean@hedron.org>
References: <42531440.30103@adelphia.net>
	 <200504051850.33281.ean@hedron.org>
Content-Type: text/plain
Organization: Right to Life of Michigan
Date: Wed, 06 Apr 2005 08:04:42 -0400
Message-Id: <1112789082.28348.5.camel@mis3c.rtl.lan>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.1.1 
Content-Transfer-Encoding: 7bit
cc: questions@freebsd.org
cc: freebsd-questions@freebsd.org
Subject: Re: suspending login
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2005 12:03:28 -0000

On Tue, 2005-04-05 at 18:50 -0400, Ean Kingston wrote:
> On April 5, 2005 06:42 pm, Bob Ababurko wrote:
> > Hello all-
> >
> > I am trying to figure out how to suspend a login for a user.  Do I have
> > to do this with password aging or is there an easier(read brute force)
> > way to disallow a user from logging in?
> 
> the safest way is to set the shell to /sbin/nologin and the home directory 
> to /nonexistant in your auth system. The latter is especially needed if you 
> allow ssh for remote login since the public-key authentication mechanisms 
> sometimes bypass the normal login restrictions.
> 

Am I mistaken here, or will doing that only deny the user a shell and
home directory? The user will still be able to authenticate against the
password database right?

To the best of my knowledge the "correct" way of doing this is either
the asterisk method in the password field using vipw or the more user
friendly way of using pw(8) with the lock command.

Jason