Managing Dormant Accounts
If a user is going to be gone for an extended period of time, you may wish to consider preventing direct logins to the user’s account until her return. This assures that an intruder won’t use the person’s account in her absence. You may also wish to disable accounts that are seldom used, enabling them only as needed.
If you think that you do not need to be concerned with accounts belonging to people who are traveling or that are seldom used, think again: many security breaks have resulted from the penetration of such accounts. There are many reasons:
If the account’s legitimate owner is traveling and not using his account, then no one is looking at the account to notice things like files that have suddenly appeared, suspicious email, or unaccounted logins and logouts.
Staff members who might normally be concerned that an account is being accessed from another country may dismiss their concerns if the account owner is, in fact, traveling abroad.
There are two simple ways to prevent logins to an account:
Change the account’s password, or modify it so it can’t be used.
Change the account’s login shell.
Actually, you may want to consider doing both.
Disabling an Account by Changing the Account’s Password
You can prevent logins to a user’s account by changing his password to something he doesn’t know. Remember: you must be the superuser to change another user’s password.
For example, you can change mary’s password simply by typing the following:
# passwd mary New ...Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
