</term>
<listitem>
<para>
- Lock the named account. This option disables an account by changing
- the password to a value which matches no possible encrypted value,
- and by setting the account expiry field to 1.
+ Lock the password of the named account. This option disables a
+ password by changing it to a value which matches no possible
+ encrypted value (it adds a ´!´ at the beginning of the
+ password).
+ </para>
+ <para>
+ Note that this does not disable the account. The user may
+ still be able to login using another authentication token
+ (e.g. an SSH key). To disable the account, administrators
+ should use <command>usermod --expiredate 1</command> (this set
+ the account's expire date to Jan 2, 1970).
+ </para>
+ <para>
+ Users with a locked password are not allowed to change their
+ password.
</para>
</listitem>
</varlistentry>
<para>
Display account status information. The status information
consists of 7 fields. The first field is the user's login name.
- The second field indicates if the user account is locked (L),
+ The second field indicates if the user account has a locked
+ password (L),
has no password (NP), or has a usable password (P). The third
field gives the date of the last password change. The next four
fields are the minimum age, maximum age, warning period, and
</term>
<listitem>
<para>
- Unlock the named account. This option re-enables an account by
- changing the password back to its previous value (to value before
- using <option>-l</option> option), and by resetting the account
+ Unlock the password of the named account. This option
+ re-enables a password by changing the password back to its
+ previous value (to the value before using the
+ <option>-l</option> option), and by resetting the account
expiry field.
</para>
</listitem>
<citerefentry>
<refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
+ <citerefentry>
+ <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
</para>
</refsect1>
</refentry>
eflg = false, /* -e - force password change */
iflg = false, /* -i - set inactive days */
kflg = false, /* -k - change only if expired */
- lflg = false, /* -l - lock account */
+ lflg = false, /* -l - lock the user's password */
nflg = false, /* -n - set minimum days */
qflg = false, /* -q - quiet mode */
Sflg = false, /* -S - show password status */
- uflg = false, /* -u - unlock account */
+ uflg = false, /* -u - unlock the user's password */
wflg = false, /* -w - set warning days */
xflg = false; /* -x - set maximum days */
" -k, --keep-tokens change password only if expired\n"
" -i, --inactive INACTIVE set password inactive after expiration\n"
" to INACTIVE\n"
- " -l, --lock lock the named account\n"
+ " -l, --lock lock the password of the named account\n"
" -n, --mindays MIN_DAYS set minimum number of days before password\n"
" change to MIN_DAYS\n"
" -q, --quiet quiet mode\n"
" -r, --repository REPOSITORY change password in REPOSITORY repository\n"
" -S, --status report password status on the named account\n"
- " -u, --unlock unlock the named account\n"
+ " -u, --unlock unlock the password of the named account\n"
" -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n"
" -x, --maxdays MAX_DAYS set maximim number of days before password\n"
" change to MAX_DAYS\n"
if (uflg && *cp == '!') {
if (cp[1] == '\0') {
fprintf (stderr,
- _("%s: unlocking the user would result in a passwordless account.\n"
- "You should set a password with usermod -p to unlock this user account.\n"),
+ _("%s: unlocking the password would result in a passwordless account.\n"
+ "You should set a password with usermod -p to unlock the password of this account.\n"),
Prog);
} else {
cp++;
if (do_update_age) {
nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
}
- if (lflg) {
- /* Set the account expiry field to 1.
- * Some PAM implementation consider zero as a non expired
- * account.
- */
- nsp->sp_expire = 1;
- }
- if (uflg)
- nsp->sp_expire = -1;
/*
* Force change on next login, like SunOS 4.x passwd -e or Solaris
* -g execute gpasswd command to interpret flags
* -i # set sp_inact to # days (*)
* -k change password only if expired
- * -l lock the named account (*)
+ * -l lock the password of the named account (*)
* -n # set sp_min to # days (*)
* -r # change password in # repository
* -s execute chsh command to interpret flags
* -S show password status of named account
- * -u unlock the named account (*)
+ * -u unlock the password of the named account (*)
* -w # set sp_warn to # days (*)
* -x # set sp_max to # days (*)
*
projects / shadow / commitdiff