locked account accessable via pubkey auth

Chris Adams cmadams at hiwaay.net
Thu Jan 31 03:09:56 EST 2002


Once upon a time, Dan Kaminsky <dan at doxpara.com> said:
> > If it is locked, the users is not allowed to change his own password. So
> he
> > can not unlock it. You get a permission denied when trying to do so.
> 
> Actually, that's really useful and very cool!  Which platforms support this
> behavior -- just recent Solaris, or most Unixen?

I think the old shadow-utils had the -l/-u options to passwd to lock and
unlock a password.

I added them to the passwd command that Red Hat Linux uses several years
ago and sent the patch to Red Hat (I don't know if other Linux
distributions have it).

> Can a user lock their own account?

Remember, it is the password that is locked, not the account (that's
what brought this thread up).  And no, users can't do this; only root is
allowed to use -l/-u.

Compaq Tru64 Unix doesn't have this option to passwd.  If you use
enhanced security, you can "usermod -x administrative_lock_applied=1
<user>" an account it can no longer log in at all (the account is
locked, not the password).

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.



More information about the openssh-unix-dev mailing list