Knowledge check question editing /etc/passwd

andre.kit

Kc 30.1 has me confused. The one option is the following:

edit /etc/passwd with vipw and add !! to the second field

I selected this because it does work, however this answer is shown to be incorrect.

(The KC question is to select all answers that apply to lock a user account)

Am I missing something, or perhaps it should be marked correct?

Thank you

luisviveropena

Hi @andre.kit ,

You are right! I just did a small test case, and editing /etc/passwd (second field) with '!!' locks the account. I was researching if there is any difference between 'locking' and 'disabling', and I didn't find anything at the first search. But 'man passws(1)' shows the following:

-l, --lock
Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).

Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).

Users with a locked password are not allowed to change their password.

So, as far as I understand at the moment, there is a small difference between locking and disabling. I'm gonna double check it and I'll update this thread later, but it seems you are right

Regards,
Luis.

lee42x

Hello andre.kit , Luis
I did some checking as well, the /etc/passwd file entry #2 (password) needs to be an "x" to function, any other or additional characters are passed along to "crypt(3)" and will cause a failure in authentication. This is the same for the /etc/shadow file, any changes to the password entry will cause a failure.

Now the kicker, changing the /etc/passwd, 2nd entry to "xx" will inhibit normal login (including ssh) however, I can still
launch a process as the user and run programs. Consider:

$ sudo su - student ## does not check the password for student because su was launched as root and now other programs can be run student as long as additional authentication is not required.

As for the question, yes, it need to be updated.

To "lock" an account I would use "sudo usermod -e 1 -L .

luisviveropena

Hi Andre,

I'm not pretty sure of that, but we are working on this. Look at what 'man usermod(8)' says:

[...]

-L, --lock
Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password. You can't use this option with -p or -U.

Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.

[...]

And for locking the account we use the 'chage' command.

Look what the question in KC 30.1 says: "For a system capable of password aging on a per user basis, which of the following are valid ways of locking a user account? Select all answers that apply".

So, I think we should include or select the 'chage' tool. I'm still unsure about usermod and passwd, as these tools can lock the password but not the account (and those are slightly different things).

So, we are still looking at this.

Regards,
Luis.

andre.kit

Thank you Luis

To be technical, due to the word "lock" being used in the question, the only correct answer, in my opinion, would be passwd -l. Perhaps if the question was phrased something like "... how to prohibit a user account from login with a password ..."; This would include all the ! hacks, expiry and /bin/nologin shell.

Thanks again

Andre

luisviveropena

Hi @lee42x !

I just saw your comment, I was writing when you commented. So, 'sudo usermod -e 1 -L ' looks good to lock the account. But we should add 'sudo chage -E 1 ', as in that case the account will get expired and locked (you won't be able to ssh to it).

Many regards!
Luis.

lee42x

The "-e1" in usermod will sets the expiry date to "1" , don't set "-e 0" it turns expiry off.
Setting the expiry date to "1" also stops the "sudo su from functioning.

coop

We will rewrite the material for the next edition to say use chage or usermod. vipw and vigr are just too messy and dangerous to use, there are tools designed to avoid having to do this by hand and screw things up.