From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-7886-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 4906 invoked by uid 1002); 31 Oct 2003 22:01:18 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 14941 invoked from network); 31 Oct 2003 22:01:18 -0000
Date: Fri, 31 Oct 2003 17:01:17 -0500
From: Kurt Lieber <klieber@gentoo.org>
To: gentoo-dev@gentoo.org
Message-ID: <20031031220111.GA2395@mail.lieber.org>
References: <20031031212727.GZ2395@mail.lieber.org> <1067637313.2158.15.camel@localhost>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="6AmSH+YAqnsWd9jO"
Content-Disposition: inline
In-Reply-To: <1067637313.2158.15.camel@localhost>
X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg
User-Agent: Mutt/1.5.4i
Subject: Re: [gentoo-dev] locking user accounts doesn't really lock them.
X-Archives-Salt: bddfe717-2981-4430-9e25-f702bf6b1f53
X-Archives-Hash: 5ac753061c581523a787fd47cca7216a

--6AmSH+YAqnsWd9jO
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 31, 2003 at 01:55:13PM -0800 or thereabouts, Kevyn Shortell wro=
te:
> It's often overlooked but a much easier method for locking a user out is
> simply to change their default shell to /bin/false or something like it.
> SSH keys or not, they won't be getting access to the box anytime soon
> without a default shell.

A valid point, but iirc, this still allows the user to do things which
don't require an interactive shell.  (scp, for instance) =20

Ideally, there is one simple way of *completely* locking out a user from a
machine, short of deleting their entry in /etc/(passwd|shadow)

--kurt

--6AmSH+YAqnsWd9jO
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/otunJPpRNiftIEYRApQ8AJ0c+9RwP2yZcOWx1hKvryyqu1ZitQCfQZaI
5R0U5kAG1a3H/KIG4UeCbow=
=tldz
-----END PGP SIGNATURE-----

--6AmSH+YAqnsWd9jO--