Why should we expire a locked account to totally prevent access?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite












From man usermod:




Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.




  • Why should we expire a locked account to totally prevent access to the account?

  • What will happen if I do not expire a locked account?









share|improve this question



























    up vote
    5
    down vote

    favorite












    From man usermod:




    Note: if you wish to lock the account (not only access with a
    password), you should also set the EXPIRE_DATE to 1.




    • Why should we expire a locked account to totally prevent access to the account?

    • What will happen if I do not expire a locked account?









    share|improve this question

























      up vote
      5
      down vote

      favorite









      up vote
      5
      down vote

      favorite











      From man usermod:




      Note: if you wish to lock the account (not only access with a
      password), you should also set the EXPIRE_DATE to 1.




      • Why should we expire a locked account to totally prevent access to the account?

      • What will happen if I do not expire a locked account?









      share|improve this question















      From man usermod:




      Note: if you wish to lock the account (not only access with a
      password), you should also set the EXPIRE_DATE to 1.




      • Why should we expire a locked account to totally prevent access to the account?

      • What will happen if I do not expire a locked account?






      users user-management accounts






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 mins ago









      muru

      131k19278474




      131k19278474










      asked 12 hours ago









      Sinoosh

      7741619




      7741619




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          9
          down vote



          accepted










          usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.



          But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.






          share|improve this answer






















          • How about usermod -L -e 300 username ? The account will be expired entirely?
            – Sinoosh
            9 hours ago






          • 1




            @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
            – Ravexina
            9 hours ago










          • Thank you, could you tell me how can i login to a locked account by ssh ?
            – Sinoosh
            9 hours ago






          • 1




            Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
            – Ravexina
            9 hours ago







          • 1




            @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
            – marcelm
            8 hours ago

















          up vote
          1
          down vote













          Because ssh keys don't care about passwords you need the account to die instead.



          The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.






          share|improve this answer




















          • "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
            – user60561
            3 hours ago







          • 2




            @user60561 some ssh commands don't use the shell, like forward ports.
            – Joshua
            2 hours ago










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "89"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1083252%2fwhy-should-we-expire-a-locked-account-to-totally-prevent-access%23new-answer', 'question_page');

          );

          Post as a guest






























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          9
          down vote



          accepted










          usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.



          But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.






          share|improve this answer






















          • How about usermod -L -e 300 username ? The account will be expired entirely?
            – Sinoosh
            9 hours ago






          • 1




            @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
            – Ravexina
            9 hours ago










          • Thank you, could you tell me how can i login to a locked account by ssh ?
            – Sinoosh
            9 hours ago






          • 1




            Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
            – Ravexina
            9 hours ago







          • 1




            @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
            – marcelm
            8 hours ago














          up vote
          9
          down vote



          accepted










          usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.



          But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.






          share|improve this answer






















          • How about usermod -L -e 300 username ? The account will be expired entirely?
            – Sinoosh
            9 hours ago






          • 1




            @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
            – Ravexina
            9 hours ago










          • Thank you, could you tell me how can i login to a locked account by ssh ?
            – Sinoosh
            9 hours ago






          • 1




            Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
            – Ravexina
            9 hours ago







          • 1




            @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
            – marcelm
            8 hours ago












          up vote
          9
          down vote



          accepted







          up vote
          9
          down vote



          accepted






          usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.



          But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.






          share|improve this answer














          usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.



          But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 16 mins ago









          Tim

          19k1482134




          19k1482134










          answered 10 hours ago









          Ravexina

          29.5k147199




          29.5k147199











          • How about usermod -L -e 300 username ? The account will be expired entirely?
            – Sinoosh
            9 hours ago






          • 1




            @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
            – Ravexina
            9 hours ago










          • Thank you, could you tell me how can i login to a locked account by ssh ?
            – Sinoosh
            9 hours ago






          • 1




            Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
            – Ravexina
            9 hours ago







          • 1




            @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
            – marcelm
            8 hours ago
















          • How about usermod -L -e 300 username ? The account will be expired entirely?
            – Sinoosh
            9 hours ago






          • 1




            @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
            – Ravexina
            9 hours ago










          • Thank you, could you tell me how can i login to a locked account by ssh ?
            – Sinoosh
            9 hours ago






          • 1




            Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
            – Ravexina
            9 hours ago







          • 1




            @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
            – marcelm
            8 hours ago















          How about usermod -L -e 300 username ? The account will be expired entirely?
          – Sinoosh
          9 hours ago




          How about usermod -L -e 300 username ? The account will be expired entirely?
          – Sinoosh
          9 hours ago




          1




          1




          @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
          – Ravexina
          9 hours ago




          @Sinoosh it's somehow the same. the expire date would be set at Oct 28, 1970 which makes account expired.
          – Ravexina
          9 hours ago












          Thank you, could you tell me how can i login to a locked account by ssh ?
          – Sinoosh
          9 hours ago




          Thank you, could you tell me how can i login to a locked account by ssh ?
          – Sinoosh
          9 hours ago




          1




          1




          Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
          – Ravexina
          9 hours ago





          Read these: How to create multiple ssh keys?, How do I set up SSH authentication keys? and How can I set up password-less SSH login?.
          – Ravexina
          9 hours ago





          1




          1




          @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
          – marcelm
          8 hours ago




          @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;)
          – marcelm
          8 hours ago












          up vote
          1
          down vote













          Because ssh keys don't care about passwords you need the account to die instead.



          The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.






          share|improve this answer




















          • "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
            – user60561
            3 hours ago







          • 2




            @user60561 some ssh commands don't use the shell, like forward ports.
            – Joshua
            2 hours ago














          up vote
          1
          down vote













          Because ssh keys don't care about passwords you need the account to die instead.



          The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.






          share|improve this answer




















          • "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
            – user60561
            3 hours ago







          • 2




            @user60561 some ssh commands don't use the shell, like forward ports.
            – Joshua
            2 hours ago












          up vote
          1
          down vote










          up vote
          1
          down vote









          Because ssh keys don't care about passwords you need the account to die instead.



          The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.






          share|improve this answer












          Because ssh keys don't care about passwords you need the account to die instead.



          The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 8 hours ago









          Joshua

          29114




          29114











          • "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
            – user60561
            3 hours ago







          • 2




            @user60561 some ssh commands don't use the shell, like forward ports.
            – Joshua
            2 hours ago
















          • "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
            – user60561
            3 hours ago







          • 2




            @user60561 some ssh commands don't use the shell, like forward ports.
            – Joshua
            2 hours ago















          "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
          – user60561
          3 hours ago





          "change the user's shell to /bin/false; however this doesn't actually work"[citation needed]
          – user60561
          3 hours ago





          2




          2




          @user60561 some ssh commands don't use the shell, like forward ports.
          – Joshua
          2 hours ago




          @user60561 some ssh commands don't use the shell, like forward ports.
          – Joshua
          2 hours ago

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1083252%2fwhy-should-we-expire-a-locked-account-to-totally-prevent-access%23new-answer', 'question_page');

          );

          Post as a guest













































































          Comments

          Popular posts from this blog

          What does second last employer means? [closed]

          Installing NextGIS Connect into QGIS 3?

          One-line joke