On 2012/09/11 03:47, Ted Unangst wrote: > On Mon, Sep 10, 2012 at 17:01, Antoine Jacoutot wrote: > > > In effect locking/unlocking the password means to add a '!' in front of > > the encrypted entry in master.passwd. > > Note that this disable the _password_ not the account of course (you > > could still connect using ssh+key for e.g.). > > I am very concerned that this violates the principle of least surprise. >
This is already common enough that /usr/libexec/security checks for alternative access methods if the password is "disabled" (i.e. the crypted password is neither 13 chars long nor starts with $[0-9a-f]$) but the shell is valid.