On 2012/09/11 03:47, Ted Unangst wrote:
> On Mon, Sep 10, 2012 at 17:01, Antoine Jacoutot wrote:
> > In effect locking/unlocking the password means to add a '!' in front of
> > the encrypted entry in master.passwd.
> > Note that this disable the _password_ not the account of course (you
> > could still connect using ssh+key for e.g.).
> I am very concerned that this violates the principle of least surprise.

This is already common enough that /usr/libexec/security checks for
alternative access methods if the password is "disabled" (i.e. the crypted
password is neither 13 chars long nor starts with $[0-9a-f]$) but the
shell is valid.

Reply via email to