Why should we expire a locked account to totally prevent access?
From man usermod
:
Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.
- Why should we expire a locked account to totally prevent access to the account?
- What will happen if I do not expire a locked account?
Solution 1:
usermod -L
actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.
But if you set the EXPIRE_DATE
to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01
.
Solution 2:
Because ssh keys don't care about passwords you need the account to die instead.
The old wisdom was change the user's shell to /bin/false
; however this doesn't actually work.