> On Fri, 2003-10-31 at 17:18, Kurt Lieber wrote: >> As was just pointed out to me on irc, expiring the account, as opposed >> to >> locking the password, will do what I want. So: >> >> usermod -e 0000-00-00 <user> > > Will this leave the /etc/passwd entry intact?
To the best of my knowlegde; yes. It modifies the expire-field in /etc/shadow. For systems using alternative nss-modules (like libnss-mysql) I believe the same result occurs if one modify the expirefield in the same way (for example in a mysql-db.) (But you might have to make the tool to change it yourself, because usermod will probably try to modify the files, i.e. /etc/shadow in this case.) - See also "man shadow" for more information about the different fields in shadow. In order to work it also need the right pam-setup for services using pam-authentification. As the account-part[1] in pam determines whether the user is allowed to access the service, whether their passwords has expired, etc. - And "The Linux-PAM System Administrator's Guide"[2] says this about pam_unix.so: Based on the following shadow elements: expire; last_change; max_change; min_change; warn_change, this module performs the task of establishing the status of the user's account and password. - It seems reasonable that this line is critical for this task: account required /lib/security/pam_unix.so Best regards, Christian Refrences: [0] man shadow [1] http://www.tldp.org/HOWTO/User-Authentication-HOWTO/x101.html [2] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.26 -- [EMAIL PROTECTED] mailing list
