Why should we expire a locked account to totally prevent access?

accounts user-management users

From man usermod:

Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.

  • Why should we expire a locked account to totally prevent access to the account?
  • What will happen if I do not expire a locked account?

Solution 1:

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

Solution 2:

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

Related

Restore previous state of apps after powering on Ubuntu system
How do I create a key binding that allows me to mount my google drive?
How to disable TLS 1.0, TLS 1.1 on Apache
Opening a new tab in Firefox through the terminal
Make "apt-get update" show the exact output as `apt update`
Awk to get all my regular users in shadow
How to make Ubuntu support single display 5120x1440 resolution?
How to have the "Restore Missing Files" function from Nautilus without installing Nautilus?
Can I install Xcode on an external hard drive along with the iPhone Simulator.app?
Scaling QPolygon on its origin
Cannot use Step Object in Cest Codeception
Convert a String to a byte array and then back to the original String