Professional Web Applications Themes

suspending login - FreeBSD

Hello all- I am trying to figure out how to suspend a login for a user. Do I have to do this with password aging or is there an easier(read brute force) way to disallow a user from logging in? -thanks, Bob...

  1. #1

    Default suspending login

    Hello all-

    I am trying to figure out how to suspend a login for a user. Do I have
    to do this with password aging or is there an easier(read brute force)
    way to disallow a user from logging in?

    -thanks,
    Bob
    Bob Guest

  2. #2

    Default Re: suspending login

    On Tuesday 05 April 2005 17:42, Bob Ababurko wrote: 

    Will setting their shell to /sbin/nologin do what you want?

    --
    Thanks,

    Josh Paetzel
    Josh Guest

  3. #3

    Default Re: suspending login

    On Tue, 05 Apr 2005 18:42:08 -0400
    Bob Ababurko <net> wrote:

    hi,
     

    do you want to directly disable a login for a certain user ?

    - become root (or use sudo)
    - with vipw replace the password-bit by a *

    as you can here e.g. :

    _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
    pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
    ^^^^^^^
    the password-part is between the first and second colon

    if you want to use your favorite editor (e.g. nano) instead of vi with
    vipw, do the following before starting vipw, assuming bash is your
    default shell :
    export EDITOR=nano
    albi@scii.nl Guest

  4. #4

    Default Re: suspending login

    On April 5, 2005 06:42 pm, Bob Ababurko wrote: 

    the safest way is to set the shell to /sbin/nologin and the home directory
    to /nonexistant in your auth system. The latter is especially needed if you
    allow ssh for remote login since the public-key authentication mechanisms
    sometimes bypass the normal login restrictions.

    --
    Ean Kingston

    E-Mail: ean AT hedron DOT org
    URL: http://www.hedron.org/
    Ean Guest

  5. #5

    Default Re: suspending login

    Ean Kingston wrote: 
    >
    >
    > the safest way is to set the shell to /sbin/nologin and the home directory
    > to /nonexistant in your auth system. The latter is especially needed if you
    > allow ssh for remote login since the public-key authentication mechanisms
    > sometimes bypass the normal login restrictions.
    >[/ref]
    That is perfect...just what I was trying to do.

    I am used to solaris... where if my memory serves me, can lock a user
    account using the -l flag with the passwd command or comment them out in
    the passwd file. I still like freebsd way more though.

    thanks,
    Bob
    Bob Guest

  6. #6

    Default Re: suspending login

    On Tue, 2005-04-05 at 18:50 -0400, Ean Kingston wrote: 
    >
    > the safest way is to set the shell to /sbin/nologin and the home directory
    > to /nonexistant in your auth system. The latter is especially needed if you
    > allow ssh for remote login since the public-key authentication mechanisms
    > sometimes bypass the normal login restrictions.
    >[/ref]

    Am I mistaken here, or will doing that only deny the user a shell and
    home directory? The user will still be able to authenticate against the
    password database right?

    To the best of my knowledge the "correct" way of doing this is either
    the asterisk method in the password field using vipw or the more user
    friendly way of using pw(8) with the lock command.

    Jason


    Jason Guest

  7. #7

    Default Re: suspending login

    What you need is nologin(5).

    Check nologin(5) and nologin(8) man pages.

    As the nologin(8) man page says:

    To disable all logins, investigate nologin(5)

    David

    On April 5, 2005 06:42 pm, Bob Ababurko wrote: 

    --
    David Robillard
    UNIX systems administrator
    com

    Notarius (TSIN) Inc.
    465, rue St-Jean, suite 200
    Montreal, Quebec, H2Y 2R6

    Tel. : +1 514 966 0122
    Fax. : +1 514 281 1226

    http://www.notarius.com

    David Guest

  8. #8

    Default Re: suspending login

     
    >> have 
    >>
    >> the safest way is to set the shell to /sbin/nologin and the home
    >> directory
    >> to /nonexistant in your auth system. The latter is especially needed if
    >> you
    >> allow ssh for remote login since the public-key authentication
    >> mechanisms
    >> sometimes bypass the normal login restrictions.
    >>[/ref]
    >
    > Am I mistaken here, or will doing that only deny the user a shell and
    > home directory? The user will still be able to authenticate against the
    > password database right?
    >
    > To the best of my knowledge the "correct" way of doing this is either
    > the asterisk method in the password field using vipw or the more user
    > friendly way of using pw(8) with the lock command.[/ref]

    Yes, that will allow the user to authenticate against the password
    database but the user has no home directory and a shell that kicks the
    user out right away. If you change the password entry then, when you want
    to enable the user again, the user has to enter a new password. This way,
    the user keeps his/her old password. Note, the question asked for suspend,
    not remove. I read suspend as implying that the account may be used again.

    If what is wanted is a permanent removal of the user then the entire
    home-directory and it's contents should be removed as well. Also, a search
    for all files owned by that user needs to be done and those files need to
    be cleaned up.

    --
    Ean Kingston
    E-Mail: ean_AT_hedron_DOT_org
    PGP KeyID: 1024D/CBC5D6BB
    URL: http://www.hedron.org/


    Ean Guest

  9. #9

    Default Re: suspending login

    Ean Kingston wrote: 

    No, you don't replace the password, you just insert an invalid character
    - one which can never be the result of crypt(). That invalid character
    is typically an asterisk. To unlock the account, you remove the
    asterisk. It's how pw usermod -L and -U work.

    For the OP, it's important to use all three approaches if your victim is
    untrustworthy. If you change the password but nothing else he can still
    get in via SSH; if you change the shell but nothing else he can still
    get in via FTP (possibly); if you change the home directory but nothing
    else he can still get in via SSH (and mess with /tmp or /var/tmp). So
    if you are locking out the user to preserve evidence of some misdeed, be
    sure to do all three.

    If this is just a real-life buddy who's welching on some money he owes
    you, though, doing only one will probably be sufficient. (Well, doing
    one and saying things to him like "I bought a .45 last week" and "It
    turns out that if you do enough cocaine most juries won't convict you of
    murder.")

    Eric Guest

  10. #10

    Default Re: suspending login

     
    >
    > No, you don't replace the password, you just insert an invalid character
    > - one which can never be the result of crypt(). That invalid character
    > is typically an asterisk. To unlock the account, you remove the
    > asterisk. It's how pw usermod -L and -U work.[/ref]

    I hadn't considered that. I will be doing that from now on. Thanks.
     

    I hadn't thought of that either.

    --
    Ean Kingston
    E-Mail: ean_AT_hedron_DOT_org
    PGP KeyID: 1024D/CBC5D6BB
    URL: http://www.hedron.org/


    Ean Guest

Similar Threads

  1. Replies: 4
    Last Post: September 18th, 11:58 PM
  2. Replies: 1
    Last Post: October 7th, 03:34 AM
  3. Replies: 1
    Last Post: November 24th, 08:24 PM
  4. Replies: 0
    Last Post: June 25th, 06:36 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139