Re: Different ways of locking accounts

On 3/18/07, Roberto C. Sanchez <roberto@xxxxxxxxxxxx> wrote:

On Sun, Mar 18, 2007 at 12:18:55AM +0800, Wei Chen wrote:
> Hi,
>
> I recently found ways that can lock user accounts on the local machine,
> including "passwd -l" and "usermod -L".
>
> I am wondering now what is the difference between the two commands and
which
> one is preferred (or standard, or more widely used). Thanks.

passwd(1):

User accounts may be locked and unlocked with the -l and -u
flags. The
-l option disables an account by changing the password to a value
which
matches no possible encrypted value. The -u option
re-enables an
account by changing the password back to its previous value.

usermod(1):

-L Lock a user's password.
This puts a '!' in front of the
encrypted password, effectively disabling the
password. You
can't use this option with -p or -U.

They more than likely do the same exact thing, if for no other reason than
for compatibility. Either way, they both lock an account by making the
hashed password value one that connot match any possible hash.


Will there be problem if I lock an account with one program and unlock with
another?

BTW, both methods lock shells as well as ftp and sftp. Changing the shell to
/usr/sbin/nologin allows ftp but still prevents sftp.
Is there a method that locks shell but allows ftp and sftp? Thanks.

Regards,

-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto<http://people.connexer.com/%7Eroberto>
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFF/Bct5SXWIKfIlGQRAsB0AKCLs/uoTxkHSpX6M5SXQSUD4I+TAQCgvv+L
Eu1fAsocFvDZQD5EYnR2M/w=
=NBbi
-----END PGP SIGNATURE-----




--
Cheers,
Wei
http://www.acplex.com/people/wchen/

Relevant Pages

  • Re: Connection.IsolationLevel = adXactSerializable and timeout
    ... Yup, I expect a Counton a non PK column can result in a table lock, but ... let's say we have a table named Account: ... > So I create a transaction and wrap the SELECT and INSERT inside it. ... >> get the server to answer that a connection is available. ...
    (microsoft.public.data.ado)
  • Re: Connection.IsolationLevel = adXactSerializable and timeout
    ... let's say we have a table named Account: ... So I create a transaction and wrap the SELECT and INSERT inside it. ... Doesn't INSERT automatically create a table lock? ... > get the server to answer that a connection is available. ...
    (microsoft.public.data.ado)
  • RE: Logon fails on first attempt
    ... RE Crumbs and Dust: I don't think that this is the issue. ... If I lock the computer, and attempt to unlock the computer, the first time I ... You may think the pointer is active inside the textbox and you type the ... What happen if you created another account and use a password for it, ...
    (microsoft.public.windowsxp.general)
  • Re: Lock Out a User in Win XP home?
    ... > lock feature of XP is generally useless. ... I do not want to delete the account and probably lose all it's ... > restricted users that can be managed by an admin user ... ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Different ways of locking accounts
    ... I recently found ways that can lock user accounts on the local machine, ... User accounts may be locked and unlocked with the -l and -u flags. ... account by changing the password back to its previous value. ... encrypted password, effectively disabling the password. ...
    (Debian-User)