On Tue, Nov 17, 2009 at 11:56 PM, Allan McRae <allan@xxxxxxxxxxxxx> wrote: > Caleb Cushing wrote: >> >> so here's the problem I've discovered >> >> http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-kdm.html >> < links to arch bug included posting here because I believe both kde's >> and arch's developers responses are less than satisfactory. This is a >> security bug an easy to fix without making users lives more difficult. > > Oh no. It has been 1 day and my "bug" is not fixed! I must blog about it so > the world listens to me... > > > "I shouldn't have to disable an account in more than 1 way to disable it > across the board." > > Let see... one step procedures for disabling the user account > > 1) change password for that user > 2) put an asterisk "*" at the beginning of the second field (before the > encrypted password) in the file /etc/shadow. > 3) set an account expiry date using chage > 3) userdel is permanent one step procedure that works very well... > > #2 is my preferred. As far as the people I know, passwd -d and passwd -l are the most common ways to do this. They do NOT change the shell. Changing the shell to lock out an account is laughable
