(This will make your configuration a bit more realistic in terms of modern security philosophy.) Technet24 |||||||||||||||||||| ||||||||||||||||||||
Locking user accounts Okay, you've just seen how to have Linux automatically lock user accounts that are under attack. There will also be times when you'll want to be able to manually lock out user accounts. Let us look at the following example: When a user goes on vacation and you want to ensure that nobody monkeys around with that user's account while he or she is gone When a user is under investigation for questionable activities When a user leaves the company In regard to the last point, you may be asking yourself, "Why can't we just delete the accounts of people who are no working here?" And, you certainly can, easily enough. However, before you do so, you'll need to check with your local laws to make sure that you don't get yourself into deep trouble. Here in the United States, for example, we have the Sarbanes-Oxley law, which restricts what files that publicly traded companies can delete from their computers. If you were to delete a user account, along with that user's home directory and mail spool, you just might be running afoul of Sarbanes-Oxley or whatever you may have as the equivalent law in your own home country. Anyway, there are two utilities that you can use to temporarily lock a user account: Using usermod to lock a user account |||||||||||||||||||| ||||||||||||||||||||
Using passwd to lock user accounts Technet24 |||||||||||||||||||| ||||||||||||||||||||
Using usermod to lock a user account Let's say that Katelyn has gone on maternity leave and will be gone for at least several weeks. We can lock her account with: sudo usermod -L katelyn When you look at Katelyn's entry in the /etc/shadow file, you'll now see an exclamation point in front of her password hash, as follows: katelyn:!$6$uA5ecH1A$MZ6q5U.cyY2SRSJezV000AudP.ckXXndBNsXUdMI1vPO8aFmlLXcbGV25K5HSSaCv4Rl This exclamation point prevents the system from being able to read her password, which effectively locks her out of the system. To unlock her account, just follow this: sudo usermod -U katelyn You'll see that the exclamation point has been removed so that she can now log in to her account. |||||||||||||||||||| ||||||||||||||||||||
Technet24 |||||||||||||||||||| ||||||||||||||||||||
Using passwd to lock user accounts You could also lock Katelyn's account with: sudo passwd -l katelyn This does the same job as usermod -L , but in a slightly different manner. For one thing, passwd -l will give you some feedback about what's going on, where usermod - L gives you no feedback at all. On Ubuntu, the feedback looks like this: [email protected]:~$ sudo passwd -l katelyn [sudo] password for donnie: passwd: password expiry information changed. [email protected]:~$ On CentOS, the feedback looks like this: [[email protected] ~]$ sudo passwd -l katelyn Locking password for user katelyn. passwd: Success [[email protected] ~]$ Also, on the CentOS machine, you'll see that passwd -l places two exclamation points in front of the password hash, instead of just one. Either way, the effect is the same.
You've reached the end of your free preview.
Want to read all 602 pages?
- Fall '18
- User Account Control, Debian, Linux distribution, Sudo