From owner-freebsd-questions@FreeBSD.ORG Thu Apr 7 13:48:33 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65ECD16A4F6 for ; Thu, 7 Apr 2005 13:48:33 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9739E43D4C for ; Thu, 7 Apr 2005 13:48:32 +0000 (GMT) (envelope-from emccoy@haystacks.org) Received: from [127.0.0.1] (c-24-98-109-41.hsd1.ga.comcast.net[24.98.109.41]) by comcast.net (rwcrmhc12) with ESMTP id <2005040713482901400fa8kfe>; Thu, 7 Apr 2005 13:48:30 +0000 Message-ID: <42553A2E.4070005@haystacks.org> Date: Thu, 07 Apr 2005 09:48:30 -0400 From: Eric McCoy User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ean Kingston References: <42531440.30103@adelphia.net> <200504051850.33281.ean@hedron.org> <1112789082.28348.5.camel@mis3c.rtl.lan> <1318.216.220.59.169.1112812328.squirrel@216.220.59.169> In-Reply-To: <1318.216.220.59.169.1112812328.squirrel@216.220.59.169> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: suspending login X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 13:48:33 -0000 Ean Kingston wrote: > If you change the password entry then, when you want > to enable the user again, the user has to enter a new password. This way, > the user keeps his/her old password. Note, the question asked for suspend, > not remove. I read suspend as implying that the account may be used again. No, you don't replace the password, you just insert an invalid character - one which can never be the result of crypt(). That invalid character is typically an asterisk. To unlock the account, you remove the asterisk. It's how pw usermod -L and -U work. For the OP, it's important to use all three approaches if your victim is untrustworthy. If you change the password but nothing else he can still get in via SSH; if you change the shell but nothing else he can still get in via FTP (possibly); if you change the home directory but nothing else he can still get in via SSH (and mess with /tmp or /var/tmp). So if you are locking out the user to preserve evidence of some misdeed, be sure to do all three. If this is just a real-life buddy who's welching on some money he owes you, though, doing only one will probably be sufficient. (Well, doing one and saying things to him like "I bought a .45 last week" and "It turns out that if you do enough cocaine most juries won't convict you of murder.")