Tom H grabbed a keyboard and wrote:
> On Sun, Dec 23, 2012 at 11:01 AM, Beco <rcb@beco.cc> wrote:
>> On Sun, Dec 23, 2012 at 11:29 AM, Lars Noodén <lars.nooden@gmail.com> wrote:
>>
>> I don't want to look one by one. There should be a way to process them in batch.
I think I missed part of this thread.... Look at what one by one?
>> I find David's idea of editing passwd dangerous and annoying. It would
>> be ok to change a single user, but even then I would choose this way
>> with caution.
It's annoying when you have a user who did something that requires you
to lock them out of their account, I'll agree. Beyond that, there's
nothing more dangerous with editing /etc/passwd than anything else you
do as root. Exorcise care and there should be no problems. (Again, it
seems clear to me now that I've missed something somewhere - what
exactly are you trying to do? What's the criteria by which you want to
disable (but not delete) multiple accounts?)
Of course, I'm a LONG-time UNIX user/admin, and back in the day, setting
the login shell that way was pretty much the way to do it. As someone
else here pointed out, doing a "passwd -l" doesn't actually *disable*
the account and allows someone who's using a key instead of a password
to get in. Setting their login shell to /bin/false (and later, with the
addition of /usr/sbin/nologin on Linux system to give the user a message
before hanging up) does that nicely - they're not getting in with a key,
either. I can't recall, however, if that would keep them from
connecting via (S)FTP (since there's no actual login shell being
invoked). Probably need to test that....
> You don't have to edit "/etc/passwd" to change shells to nologin. You
> can use "chsh" as long as nologin is a recognized shell.
Sure, that works, too - however, you'll have to edit /etc/shells to
include /bin/false and/or /usr/sbin/nologin, 'cause those aren't "valid"
login shells by default.
--Dave
Attachment:
signature.asc
Description: OpenPGP digital signature