From owner-freebsd-questions@FreeBSD.ORG Thu Apr 7 19:19:41 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7198A16A4CE for ; Thu, 7 Apr 2005 19:19:41 +0000 (GMT) Received: from prosporo.hedron.org (hedron.org [66.11.182.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3C1A43D3F for ; Thu, 7 Apr 2005 19:19:40 +0000 (GMT) (envelope-from ean@hedron.org) Received: from www.hedron.org (localhost.hedron.org [127.0.0.1]) by prosporo.hedron.org (Postfix) with ESMTP id C846EC0D1; Thu, 7 Apr 2005 15:20:39 -0400 (EDT) Received: from 216.220.59.169 (SquirrelMail authenticated user ean); by www.hedron.org with HTTP; Thu, 7 Apr 2005 15:20:39 -0400 (EDT) Message-ID: <3110.216.220.59.169.1112901639.squirrel@216.220.59.169> In-Reply-To: <42553A2E.4070005@haystacks.org> References: <42531440.30103@adelphia.net> <200504051850.33281.ean@hedron.org> <1112789082.28348.5.camel@mis3c.rtl.lan> <1318.216.220.59.169.1112812328.squirrel@216.220.59.169> <42553A2E.4070005@haystacks.org> Date: Thu, 7 Apr 2005 15:20:39 -0400 (EDT) From: "Ean Kingston" To: "Eric McCoy" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-questions@freebsd.org cc: Ean Kingston Subject: Re: suspending login X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 19:19:41 -0000 > Ean Kingston wrote: >> If you change the password entry then, when you want >> to enable the user again, the user has to enter a new password. This >> way, >> the user keeps his/her old password. Note, the question asked for >> suspend, >> not remove. I read suspend as implying that the account may be used >> again. > > No, you don't replace the password, you just insert an invalid character > - one which can never be the result of crypt(). That invalid character > is typically an asterisk. To unlock the account, you remove the > asterisk. It's how pw usermod -L and -U work. I hadn't considered that. I will be doing that from now on. Thanks. > For the OP, it's important to use all three approaches if your victim is > untrustworthy. If you change the password but nothing else he can still > get in via SSH; if you change the shell but nothing else he can still > get in via FTP (possibly); if you change the home directory but nothing > else he can still get in via SSH (and mess with /tmp or /var/tmp). So > if you are locking out the user to preserve evidence of some misdeed, be > sure to do all three. > > If this is just a real-life buddy who's welching on some money he owes > you, though, doing only one will probably be sufficient. (Well, doing > one and saying things to him like "I bought a .45 last week" and "It > turns out that if you do enough cocaine most juries won't convict you of > murder.") I hadn't thought of that either. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/