Re: suspending login
> Ean Kingston wrote: >> If you change the password entry then, when you want >> to enable the user again, the user has to enter a new password. This >> way, >> the user keeps his/her old password. Note, the question asked for >> suspend, >> not remove. I read suspend as implying that the account may be used >> again. > > No, you don't replace the password, you just insert an invalid character > - one which can never be the result of crypt(). That invalid character > is typically an asterisk. To unlock the account, you remove the > asterisk. It's how pw usermod -L and -U work. I hadn't considered that. I will be doing that from now on. Thanks. > For the OP, it's important to use all three approaches if your victim is > untrustworthy. If you change the password but nothing else he can still > get in via SSH; if you change the shell but nothing else he can still > get in via FTP (possibly); if you change the home directory but nothing > else he can still get in via SSH (and mess with /tmp or /var/tmp). So > if you are locking out the user to preserve evidence of some misdeed, be > sure to do all three. > > If this is just a real-life buddy who's welching on some money he owes > you, though, doing only one will probably be sufficient. (Well, doing > one and saying things to him like "I bought a .45 last week" and "It > turns out that if you do enough cocaine most juries won't convict you of > murder.") I hadn't thought of that either. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
Ean Kingston wrote: If you change the password entry then, when you want to enable the user again, the user has to enter a new password. This way, the user keeps his/her old password. Note, the question asked for suspend, not remove. I read suspend as implying that the account may be used again. No, you don't replace the password, you just insert an invalid character - one which can never be the result of crypt(). That invalid character is typically an asterisk. To unlock the account, you remove the asterisk. It's how pw usermod -L and -U work. For the OP, it's important to use all three approaches if your victim is untrustworthy. If you change the password but nothing else he can still get in via SSH; if you change the shell but nothing else he can still get in via FTP (possibly); if you change the home directory but nothing else he can still get in via SSH (and mess with /tmp or /var/tmp). So if you are locking out the user to preserve evidence of some misdeed, be sure to do all three. If this is just a real-life buddy who's welching on some money he owes you, though, doing only one will probably be sufficient. (Well, doing one and saying things to him like "I bought a .45 last week" and "It turns out that if you do enough cocaine most juries won't convict you of murder.") ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
> On Tue, 2005-04-05 at 18:50 -0400, Ean Kingston wrote: >> On April 5, 2005 06:42 pm, Bob Ababurko wrote: >> > Hello all- >> > >> > I am trying to figure out how to suspend a login for a user. Do I >> have >> > to do this with password aging or is there an easier(read brute force) >> > way to disallow a user from logging in? >> >> the safest way is to set the shell to /sbin/nologin and the home >> directory >> to /nonexistant in your auth system. The latter is especially needed if >> you >> allow ssh for remote login since the public-key authentication >> mechanisms >> sometimes bypass the normal login restrictions. >> > > Am I mistaken here, or will doing that only deny the user a shell and > home directory? The user will still be able to authenticate against the > password database right? > > To the best of my knowledge the "correct" way of doing this is either > the asterisk method in the password field using vipw or the more user > friendly way of using pw(8) with the lock command. Yes, that will allow the user to authenticate against the password database but the user has no home directory and a shell that kicks the user out right away. If you change the password entry then, when you want to enable the user again, the user has to enter a new password. This way, the user keeps his/her old password. Note, the question asked for suspend, not remove. I read suspend as implying that the account may be used again. If what is wanted is a permanent removal of the user then the entire home-directory and it's contents should be removed as well. Also, a search for all files owned by that user needs to be done and those files need to be cleaned up. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
What you need is nologin(5). Check nologin(5) and nologin(8) man pages. As the nologin(8) man page says: To disable all logins, investigate nologin(5) David On April 5, 2005 06:42 pm, Bob Ababurko wrote: > Hello all- > > I am trying to figure out how to suspend a login for a user. Do I > have to do this with password aging or is there an easier(read brute > force) way to disallow a user from logging in? -- David Robillard UNIX systems administrator [EMAIL PROTECTED] Notarius (TSIN) Inc. 465, rue St-Jean, suite 200 Montreal, Quebec, H2Y 2R6 Tel. : +1 514 966 0122 Fax. : +1 514 281 1226 http://www.notarius.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
On Tue, 2005-04-05 at 18:50 -0400, Ean Kingston wrote: > On April 5, 2005 06:42 pm, Bob Ababurko wrote: > > Hello all- > > > > I am trying to figure out how to suspend a login for a user. Do I have > > to do this with password aging or is there an easier(read brute force) > > way to disallow a user from logging in? > > the safest way is to set the shell to /sbin/nologin and the home directory > to /nonexistant in your auth system. The latter is especially needed if you > allow ssh for remote login since the public-key authentication mechanisms > sometimes bypass the normal login restrictions. > Am I mistaken here, or will doing that only deny the user a shell and home directory? The user will still be able to authenticate against the password database right? To the best of my knowledge the "correct" way of doing this is either the asterisk method in the password field using vipw or the more user friendly way of using pw(8) with the lock command. Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
Ean Kingston wrote: On April 5, 2005 06:42 pm, Bob Ababurko wrote: Hello all- I am trying to figure out how to suspend a login for a user. Do I have to do this with password aging or is there an easier(read brute force) way to disallow a user from logging in? the safest way is to set the shell to /sbin/nologin and the home directory to /nonexistant in your auth system. The latter is especially needed if you allow ssh for remote login since the public-key authentication mechanisms sometimes bypass the normal login restrictions. That is perfect...just what I was trying to do. I am used to solaris... where if my memory serves me, can lock a user account using the -l flag with the passwd command or comment them out in the passwd file. I still like freebsd way more though. thanks, Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
On April 5, 2005 06:42 pm, Bob Ababurko wrote: > Hello all- > > I am trying to figure out how to suspend a login for a user. Do I have > to do this with password aging or is there an easier(read brute force) > way to disallow a user from logging in? the safest way is to set the shell to /sbin/nologin and the home directory to /nonexistant in your auth system. The latter is especially needed if you allow ssh for remote login since the public-key authentication mechanisms sometimes bypass the normal login restrictions. -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
On Tue, 05 Apr 2005 18:42:08 -0400 Bob Ababurko <[EMAIL PROTECTED]> wrote: hi, > I am trying to figure out how to suspend a login for a user. Do I > have to do this with password aging or is there an easier(read brute > force) way to disallow a user from logging in? do you want to directly disable a login for a certain user ? - become root (or use sudo) - with vipw replace the password-bit by a * as you can here e.g. : _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin ^^^ the password-part is between the first and second colon if you want to use your favorite editor (e.g. nano) instead of vi with vipw, do the following before starting vipw, assuming bash is your default shell : export EDITOR=nano ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
On Tuesday 05 April 2005 17:42, Bob Ababurko wrote: > Hello all- > > I am trying to figure out how to suspend a login for a user. Do I > have to do this with password aging or is there an easier(read > brute force) way to disallow a user from logging in? > > -thanks, > Bob > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" Will setting their shell to /sbin/nologin do what you want? -- Thanks, Josh Paetzel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
suspending login
Hello all- I am trying to figure out how to suspend a login for a user. Do I have to do this with password aging or is there an easier(read brute force) way to disallow a user from logging in? -thanks, Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"