> I'm wondering why I would want that - until now nobody could give me a > good argument although everybody learns to remove the shells :-( > > * If I give my users a disabled password, they cannot? login via passwd > based ssh/ftp/pop3 etc.
Not true. Say you disable the passwd (put "*" in /etc/shadow file, for example) but they have already enabled SSH identity authentication so they never use actual password authentication. You think they can't log in because there's no legal password, but SSH lets them in before it gets there. > * But, on the other hand, I can have a > su news -c /usr/local/script_running_as_user_news.sh How do you want to disable that? Only root can run su as another user if the password is locked. > ?: Yes, except for the rare cases when the PAM developers release a > buggy version that interprets '*' as no password instead of no > login.. But that'd never happen... ;-) -- Brian Hatch "Oh bugger, now I have to Systems and wait for someone to wake up." Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
msg00501/pgp00000.pgp
Description: PGP signature
