On Wed, Mar 09, 2022 at 09:00:22PM +0100, Marc Haber wrote:
> On Tue, 8 Mar 2022 18:40:11 +0000, Simon McVittie <s...@debian.org>
> >--disabled-login: the new account has an empty password but is "locked";
> >so password authentication will fail, but "unlocking" the account will
> >result in login being accepted with a blank password (subject to other
> >policies like ssh PermitEmptyPasswords and PAM nullok)
>
> that way, --disabled-login doesnt sound desireable at all, it would
> violate the principle of least surprise at least for me. I'd have
> expected (and always believed) that a password of ! will also prevent
> ssh-key logins from happening.
I don't see how that follows from Simon's statement? AIUI, he's saying
that that is true *until" you unlock the account (which essentially
means dropping the "!" from the passwd file).
Am I misreading something here?
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
