Why should we expire a locked account to totally prevent access?
Clash Royale CLAN TAG#URR8PPP
up vote
5
down vote
favorite
From man usermod:
Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.
- Why should we expire a locked account to totally prevent access to the account?
- What will happen if I do not expire a locked account?
users accounts usermod
edited 15 mins ago
Tim
19k1482134
asked 12 hours ago
Sinoosh
7741619
add a comment |Â
up vote
5
down vote
favorite
From man usermod:
Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.
- Why should we expire a locked account to totally prevent access to the account?
- What will happen if I do not expire a locked account?
users accounts usermod
edited 15 mins ago
Tim
19k1482134
asked 12 hours ago
Sinoosh
7741619
add a comment |Â
up vote
5
down vote
favorite
up vote
5
down vote
favorite
From man usermod:
Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.
- Why should we expire a locked account to totally prevent access to the account?
- What will happen if I do not expire a locked account?
users accounts usermod
edited 15 mins ago
Tim
19k1482134
asked 12 hours ago
Sinoosh
7741619
From man usermod:
Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.
- Why should we expire a locked account to totally prevent access to the account?
- What will happen if I do not expire a locked account?
users accounts usermod
users accounts usermod
edited 15 mins ago
Tim
19k1482134
asked 12 hours ago
Sinoosh
7741619
edited 15 mins ago
Tim
19k1482134
asked 12 hours ago
Sinoosh
7741619
edited 15 mins ago
Tim
19k1482134
edited 15 mins ago
Tim
19k1482134
edited 15 mins ago
Tim
19k1482134
19k1482134
asked 12 hours ago
Sinoosh
7741619
asked 12 hours ago
Sinoosh
7741619
asked 12 hours ago
Sinoosh
7741619
7741619
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
9
down vote
accepted
usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.
But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.
edited 13 mins ago
Tim
19k1482134
answered 10 hours ago
Ravexina
29.5k147199
How aboutusermod -L -e 300 username? The account will be expired entirely?
– Sinoosh
9 hours ago
1
@Sinoosh it's somehow the same. the expire date would be set atOct 28, 1970which makes account expired.
– Ravexina
9 hours ago
Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago
1
Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago
1
@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago
 |Â
show 1 more comment
up vote
1
down vote
Because ssh keys don't care about passwords you need the account to die instead.
The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.
answered 8 hours ago
Joshua
29114
"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago
1
@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.
But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.
edited 13 mins ago
Tim
19k1482134
answered 10 hours ago
Ravexina
29.5k147199
How aboutusermod -L -e 300 username? The account will be expired entirely?
– Sinoosh
9 hours ago
1
@Sinoosh it's somehow the same. the expire date would be set atOct 28, 1970which makes account expired.
– Ravexina
9 hours ago
Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago
1
Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago
1
@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago
 |Â
show 1 more comment
up vote
9
down vote
accepted
usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.
But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.
edited 13 mins ago
Tim
19k1482134
answered 10 hours ago
Ravexina
29.5k147199
How aboutusermod -L -e 300 username? The account will be expired entirely?
– Sinoosh
9 hours ago
1
@Sinoosh it's somehow the same. the expire date would be set atOct 28, 1970which makes account expired.
– Ravexina
9 hours ago
Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago
1
Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago
1
@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago
 |Â
show 1 more comment
up vote
9
down vote
accepted
up vote
9
down vote
accepted
usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.
But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.
edited 13 mins ago
Tim
19k1482134
answered 10 hours ago
Ravexina
29.5k147199
usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.
But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.
edited 13 mins ago
Tim
19k1482134
answered 10 hours ago
Ravexina
29.5k147199
edited 13 mins ago
Tim
19k1482134
edited 13 mins ago
Tim
19k1482134
edited 13 mins ago
Tim
19k1482134
19k1482134
answered 10 hours ago
Ravexina
29.5k147199
answered 10 hours ago
Ravexina
29.5k147199
answered 10 hours ago
Ravexina
29.5k147199
29.5k147199
How aboutusermod -L -e 300 username? The account will be expired entirely?
– Sinoosh
9 hours ago
1
@Sinoosh it's somehow the same. the expire date would be set atOct 28, 1970which makes account expired.
– Ravexina
9 hours ago
Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago
1
Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago
1
@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago
 |Â
show 1 more comment
How aboutusermod -L -e 300 username? The account will be expired entirely?
– Sinoosh
9 hours ago
1
@Sinoosh it's somehow the same. the expire date would be set atOct 28, 1970which makes account expired.
– Ravexina
9 hours ago
Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago
1
Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago
1
@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago
How about
usermod -L -e 300 username ? The account will be expired entirely?– Sinoosh
9 hours ago
How about
usermod -L -e 300 username ? The account will be expired entirely?– Sinoosh
9 hours ago
1
1
@Sinoosh it's somehow the same. the expire date would be set at
Oct 28, 1970 which makes account expired.– Ravexina
9 hours ago
@Sinoosh it's somehow the same. the expire date would be set at
Oct 28, 1970 which makes account expired.– Ravexina
9 hours ago
Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago
Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago
1
1
Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago
Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago
1
1
@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago
@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago
 |Â
show 1 more comment
up vote
1
down vote
Because ssh keys don't care about passwords you need the account to die instead.
The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.
answered 8 hours ago
Joshua
29114
"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago
1
@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago
add a comment |Â
up vote
1
down vote
Because ssh keys don't care about passwords you need the account to die instead.
The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.
answered 8 hours ago
Joshua
29114
"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago
1
@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Because ssh keys don't care about passwords you need the account to die instead.
The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.
answered 8 hours ago
Joshua
29114
Because ssh keys don't care about passwords you need the account to die instead.
The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.
answered 8 hours ago
Joshua
29114
answered 8 hours ago
Joshua
29114
answered 8 hours ago
Joshua
29114
answered 8 hours ago
Joshua
29114
29114
"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago
1
@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago
add a comment |Â
"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago
1
@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago
"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago
"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago
1
1
@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago
@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1083252%2fwhy-should-we-expire-a-locked-account-to-totally-prevent-access%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
