How to disable an Unix id?

> Without a proper password and proper shell, nobody can remotely or locally login with the user account.
wrong
as root you can always
and as user you can if you know the password (it's tricky, but possible;-)

I'd suggest to remove the user from /etc/passwd.

Actaully passwd -l should be used for user accounts


the UNIX IDs you are talking about should not have passwd -l applied to them


WHY?

becuase passwd -l will disable the UNIX ID to run cron jobs which some of the IDs do (ie.  sys)


What you should od is 2 things

one is vi the /etc/shadow file

In the 2nd field replace and hashed password or *LK* with the entry NP

next in the /etc/passwd file in the field where the shells are defined, put in /bin/false for all UNIX accounts you want disabled.


That is how you should go about deisabling the default UNIX IDs

As always, it the commands to lock an account depend on with Unix flavour you are running.

A generic way to "disable" accounts is to set a non valid shell like /bin/false

Tintin, take care with /bin/false, it does *not* disable an account! (tricky logins are still possible)
I'm pedantic as usual 'cause we're in Unix Security TA ;-)

True.  Disable was probably the wrong choice of word. Prevent login is probably better term.

Hi ahoffmann,

With root, try su to a user without a proper shell and type whoami. I still get root, which mean cannot su to the user. However, you can change the effective UID from root to the user in your own program. I know that.

But, in terms of security, if you already can get the root access, getting access to unattended account does not have much meaning to the hacker.

As long as you do not leave the password field in /etc/shadow empty, and contain only less than 5 characters, nobody can login by using password, because either the old-day crypt or MD5 password requires a string more than 4 characters. The "salt" alone already takes up the first few character space! Editing the shadow file manually or using the passwd -l command does the trick, and passwd -l might have some more further actions to lock the account.

Some IDs must exist, and probably used by running daemon or specific task, so cannot be simply deleted.

If the IDs are totally not in use, you should delete them.
userdel username
userdel -r username     (this will remove the user's home directory as well)

ahoffmann's http:#15252116 is right,  use with /bin/false as  login shell still can do FTP, or someone can "su" as the user to run command the user.

if the account is no long in use, why not just delete them.
you can use "userdel" to delete the user.

if you still want to keep it. use vi to edit /etc/passwd file a put a # in front of
the login name to dis able it.

Manager decided to make thing "easy" so all ids will be created on all servers even though they will never be used (in order to keep same UID/GID for failover purpose.)  Hence there will be a bunch of test ids created on the PROD server, so I'm hoping to find out more on how to "disable" an unix id to prevent others from accessible them.

Thanks.

Have a look at the following docs to lock the users accounts:

http://open.itworld.com/5040/nls_unixpasswordage1/page_1.html

also some good infor in part2-4 (links in the above page)

If you have a lot of servers, should make use of NIS (yp), LDAP or Radius to centralize the user management. Nowadays, directory services similar to LDAP are in use in Novell and Windows system. Check out http://www.openldap.org for more details.

To delete the test IDs, use the userdel command as mentioned above.