lock an account

tjay83 · September 15, 2008, 12:24pm

hi
how can I Lock an account, by prepending �*LK*� to the password field in /etc/shadow.

I dont want to use passwd -l .

Any idea?

avronius · September 15, 2008, 12:34pm

You could mangle /etc/shadow directly, but passwd -l is the safe way to lock entries.

Why do you not wish to use passwd -l? Maybe we can help with the previous or next step in your requirement...

tjay83 · September 15, 2008, 1:17pm

Thanks for your reply

1-)
When I use "passwd -l" option, somehow I can login with the locked user.
Do you know why?

[root]# passwd -l tj
Locking password for user tj
passwd:Success
[root]#su - tj
[tj] ls
....

2-)Where should I put �*LK*� inside the password field in /etc/shadow?
Could you give an example

Regards

avronius · September 15, 2008, 1:37pm

root will still be able to su to the user. A test would be to su to a user that does not have root access - and try to su - to the locked user.

If you want to completely disable the account, change the default shell to /bin/false. This is a shell that doesn't exist, so will not allow root to su to it.

usermod -s /bin/false username

*LK* belongs in the second field, but again, you SHOULD NOT manually manipulate this file.