Re: Freeze accounts

[Tom H <tomh0665@gmail.com>]

On Mon, Dec 24, 2012 at 3:46 PM, David Guntner <davidg@akamail.net> wrote:
> Tom H grabbed a keyboard and wrote:
>> On Sun, Dec 23, 2012 at 11:01 AM, Beco <rcb@beco.cc> wrote:
>>> On Sun, Dec 23, 2012 at 11:29 AM, Lars Noodén <lars.nooden@gmail.com> wrote:


>>> I don't want to look one by one. There should be a way to process them in batch.
>
> I think I missed part of this thread.... Look at what one by one?
>
>>> I find David's idea of editing passwd dangerous and annoying. It would
>>> be ok to change a single user, but even then I would choose this way
>>> with caution.
>
> Of course, I'm a LONG-time UNIX user/admin, and back in the day, setting
> the login shell that way was pretty much the way to do it. As someone
> else here pointed out, doing a "passwd -l" doesn't actually *disable*
> the account and allows someone who's using a key instead of a password
> to get in. Setting their login shell to /bin/false (and later, with the
> addition of /usr/sbin/nologin on Linux system to give the user a message
> before hanging up) does that nicely - they're not getting in with a key,
> either. I can't recall, however, if that would keep them from
> connecting via (S)FTP (since there's no actual login shell being
> invoked). Probably need to test that....

AFAIR sftp will work when the shell's "/usr/sbin/nologin" or
"/bin/false" if you use "internal-sftp" as the sftp server.


>> You don't have to edit "/etc/passwd" to change shells to nologin. You
>> can use "chsh" as long as nologin is a recognized shell.
>
> Sure, that works, too - however, you'll have to edit /etc/shells to
> include /bin/false and/or /usr/sbin/nologin, 'cause those aren't "valid"
> login shells by default.

That's why I said "recognized shell."