Why should we expire a locked account to totally prevent access?

Clash Royale CLAN TAG#URR8PPP

up vote
5
down vote

favorite

From man usermod:

Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.

• Why should we expire a locked account to totally prevent access to the account?


• What will happen if I do not expire a locked account?

users user-management accounts

share|improve this question

edited 2 mins ago

muru

131k19278474

asked 12 hours ago

Sinoosh

7741619

add a comment | 

up vote
5
down vote

favorite

From man usermod:

Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.

• Why should we expire a locked account to totally prevent access to the account?


• What will happen if I do not expire a locked account?

users user-management accounts

share|improve this question

edited 2 mins ago

muru

131k19278474

asked 12 hours ago

Sinoosh

7741619

add a comment | 

up vote
5
down vote

favorite

up vote
5
down vote

favorite

From man usermod:

Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.

• Why should we expire a locked account to totally prevent access to the account?


• What will happen if I do not expire a locked account?

users user-management accounts

share|improve this question

edited 2 mins ago

muru

131k19278474

asked 12 hours ago

Sinoosh

7741619

From man usermod:

Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.

• Why should we expire a locked account to totally prevent access to the account?


• What will happen if I do not expire a locked account?

users user-management accounts

users user-management accounts

share|improve this question

edited 2 mins ago

muru

131k19278474

asked 12 hours ago

Sinoosh

7741619

share|improve this question

edited 2 mins ago

muru

131k19278474

asked 12 hours ago

Sinoosh

7741619

share|improve this question

share|improve this question

edited 2 mins ago

muru

131k19278474

edited 2 mins ago

muru

131k19278474

edited 2 mins ago

muru

131k19278474

131k19278474

asked 12 hours ago

Sinoosh

7741619

asked 12 hours ago

Sinoosh

7741619

asked 12 hours ago

Sinoosh

7741619

7741619

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
9
down vote



accepted

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

share|improve this answer

edited 16 mins ago

Tim

19k1482134

answered 10 hours ago

Ravexina

29.5k147199

• 
  
  
  

  
  

  
  
  
  
  
  

  
  How about usermod -L -e 300 username ? The account will be expired entirely?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
  – Ravexina
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, could you tell me how can i login to a locked account by ssh ?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
  – Ravexina
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
  – marcelm
  8 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
1
down vote

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

share|improve this answer

answered 8 hours ago

Joshua

29114

• 
  
  
  

  
  

  
  
  
  
  
  

  
  "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
  – user60561
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  @user60561 some ssh commands don't use the shell, like forward ports.
  – Joshua
  2 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1083252%2fwhy-should-we-expire-a-locked-account-to-totally-prevent-access%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
9
down vote



accepted

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

share|improve this answer

edited 16 mins ago

Tim

19k1482134

answered 10 hours ago

Ravexina

29.5k147199

• 
  
  
  

  
  

  
  
  
  
  
  

  
  How about usermod -L -e 300 username ? The account will be expired entirely?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
  – Ravexina
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, could you tell me how can i login to a locked account by ssh ?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
  – Ravexina
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
  – marcelm
  8 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
9
down vote



accepted

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

share|improve this answer

edited 16 mins ago

Tim

19k1482134

answered 10 hours ago

Ravexina

29.5k147199

• 
  
  
  

  
  

  
  
  
  
  
  

  
  How about usermod -L -e 300 username ? The account will be expired entirely?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
  – Ravexina
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, could you tell me how can i login to a locked account by ssh ?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
  – Ravexina
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
  – marcelm
  8 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
9
down vote



accepted

up vote
9
down vote



accepted

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

share|improve this answer

edited 16 mins ago

Tim

19k1482134

answered 10 hours ago

Ravexina

29.5k147199

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

share|improve this answer

edited 16 mins ago

Tim

19k1482134

answered 10 hours ago

Ravexina

29.5k147199

share|improve this answer

share|improve this answer

edited 16 mins ago

Tim

19k1482134

edited 16 mins ago

Tim

19k1482134

edited 16 mins ago

Tim

19k1482134

19k1482134

answered 10 hours ago

Ravexina

29.5k147199

answered 10 hours ago

Ravexina

29.5k147199

answered 10 hours ago

Ravexina

29.5k147199

29.5k147199

• 
  
  
  

  
  

  
  
  
  
  
  

  
  How about usermod -L -e 300 username ? The account will be expired entirely?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
  – Ravexina
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, could you tell me how can i login to a locked account by ssh ?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
  – Ravexina
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
  – marcelm
  8 hours ago
  

  
  
  
  

 | 
show 1 more comment

• 
  
  
  

  
  

  
  
  
  
  
  

  
  How about usermod -L -e 300 username ? The account will be expired entirely?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
  – Ravexina
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, could you tell me how can i login to a locked account by ssh ?
  – Sinoosh
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
  – Ravexina
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
  – marcelm
  8 hours ago
  

  
  
  
  

How about usermod -L -e 300 username ? The account will be expired entirely?
– Sinoosh
9 hours ago

How about usermod -L -e 300 username ? The account will be expired entirely?
– Sinoosh
9 hours ago

1

1

@Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
– Ravexina
9 hours ago

@Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
– Ravexina
9 hours ago

Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago

Thank you, could you tell me how can i login to a locked account by ssh ?
– Sinoosh
9 hours ago

1

1

Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago

Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
– Ravexina
9 hours ago

1

1

@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago

@Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
– marcelm
8 hours ago

 | 
show 1 more comment

up vote
1
down vote

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

share|improve this answer

answered 8 hours ago

Joshua

29114

• 
  
  
  

  
  

  
  
  
  
  
  

  
  "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
  – user60561
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  @user60561 some ssh commands don't use the shell, like forward ports.
  – Joshua
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

share|improve this answer

answered 8 hours ago

Joshua

29114

• 
  
  
  

  
  

  
  
  
  
  
  

  
  "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
  – user60561
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  @user60561 some ssh commands don't use the shell, like forward ports.
  – Joshua
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

up vote
1
down vote

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

share|improve this answer

answered 8 hours ago

Joshua

29114

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

share|improve this answer

answered 8 hours ago

Joshua

29114

share|improve this answer

share|improve this answer

answered 8 hours ago

Joshua

29114

answered 8 hours ago

Joshua

29114

answered 8 hours ago

Joshua

29114

29114

• 
  
  
  

  
  

  
  
  
  
  
  

  
  "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
  – user60561
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  @user60561 some ssh commands don't use the shell, like forward ports.
  – Joshua
  2 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
  – user60561
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  @user60561 some ssh commands don't use the shell, like forward ports.
  – Joshua
  2 hours ago
  

  
  
  
  

"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago

"change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
– user60561
3 hours ago

2

2

@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago

@user60561 some ssh commands don't use the shell, like forward ports.
– Joshua
2 hours ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1083252%2fwhy-should-we-expire-a-locked-account-to-totally-prevent-access%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email