Welcome to the Linux Foundation Forum!

Knowledge check question editing /etc/passwd

Kc 30.1 has me confused. The one option is the following:

edit /etc/passwd with vipw and add !! to the second field

I selected this because it does work, however this answer is shown to be incorrect.

(The KC question is to select all answers that apply to lock a user account)

Am I missing something, or perhaps it should be marked correct?

Thank you

Best Answers

  • luisviveropena
    luisviveropena Posts: 1,142
    Answer ✓

    Hi @andre.kit ,

    You are right! I just did a small test case, and editing /etc/passwd (second field) with '!!' locks the account. I was researching if there is any difference between 'locking' and 'disabling', and I didn't find anything at the first search. But 'man passws(1)' shows the following:

    -l, --lock
    Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).

    Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).

    Users with a locked password are not allowed to change their password.

    So, as far as I understand at the moment, there is a small difference between locking and disabling. I'm gonna double check it and I'll update this thread later, but it seems you are right :)

    Regards,
    Luis.

Answers

  • andre.kit
    andre.kit Posts: 2

    Thank you Luis

    To be technical, due to the word "lock" being used in the question, the only correct answer, in my opinion, would be passwd -l. Perhaps if the question was phrased something like "... how to prohibit a user account from login with a password ..."; This would include all the ! hacks, expiry and /bin/nologin shell.

    Thanks again

    Andre

  • luisviveropena
    luisviveropena Posts: 1,142

    Hi @lee42x !

    I just saw your comment, I was writing when you commented. So, 'sudo usermod -e 1 -L ' looks good to lock the account. But we should add 'sudo chage -E 1 ', as in that case the account will get expired and locked (you won't be able to ssh to it).

    Many regards!
    Luis.

  • lee42x
    lee42x Posts: 380

    The "-e1" in usermod will sets the expiry date to "1" , don't set "-e 0" it turns expiry off.
    Setting the expiry date to "1" also stops the "sudo su from functioning.

  • coop
    coop Posts: 915

    We will rewrite the material for the next edition to say use chage or usermod. vipw and vigr are just too messy and dangerous to use, there are tools designed to avoid having to do this by hand and screw things up.

Categories

Upcoming Training