> Ean Kingston wrote: >> If you change the password entry then, when you want >> to enable the user again, the user has to enter a new password. This >> way, >> the user keeps his/her old password. Note, the question asked for >> suspend, >> not remove. I read suspend as implying that the account may be used >> again. > > No, you don't replace the password, you just insert an invalid character > - one which can never be the result of crypt(). That invalid character > is typically an asterisk. To unlock the account, you remove the > asterisk. It's how pw usermod -L and -U work.
I hadn't considered that. I will be doing that from now on. Thanks. > For the OP, it's important to use all three approaches if your victim is > untrustworthy. If you change the password but nothing else he can still > get in via SSH; if you change the shell but nothing else he can still > get in via FTP (possibly); if you change the home directory but nothing > else he can still get in via SSH (and mess with /tmp or /var/tmp). So > if you are locking out the user to preserve evidence of some misdeed, be > sure to do all three. > > If this is just a real-life buddy who's welching on some money he owes > you, though, doing only one will probably be sufficient. (Well, doing > one and saying things to him like "I bought a .45 last week" and "It > turns out that if you do enough cocaine most juries won't convict you of > murder.") I hadn't thought of that either. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"