[Pkg-shadow-devel] Bug#389183: passwd: 'passwd -l/-u' should edit the shadow account expiry field *in addition* to editing the password field as they do know

Nicolas François nicolas.francois at centraliens.net
Sun Aug 3 03:13:57 UTC 2008

tags 389183 wontfix

This bug is indeed not fixed since its patch was reverted.

I decided to revert it because it breaks some expectations from users
used to passwd -l only locking the passwd.

I could have a look at 3 different sources:
 * pwdutils (provides passwd on Suse)
   passwd -l is documented as locking the account but only locks the
   user's account (as documented by the usage string)
 * OpenSolaris
   locks the user's password
 * fedora's passwd package
   passwd -l is documented as locking the account but only locks the
   user's account

The reversion was done after 492307, which was triggered by Ubuntu bugs:
  * https://bugs.launchpad.net/bugs/185767
  * https://bugs.launchpad.net/bugs/238755
  * https://bugs.launchpad.net/bugs/251696

These bugs were caused by users expecting passwd -l to only lock the
password / users being recommended to use passwd -l:

I currently think that passwd should only touch the password.
(I would also prefer usermod --lock to locks the account)

Together with the reversion of the patch, I documented passwd -l to
actually mention what it really does:
       -l, --lock
           Lock the password of the named account. This option disables a
           password by changing it to a value which matches no possible
           encrypted value (it adds a ´!´ at the beginning of the password.

           Note that this does not disable the account. The user may still be
           able to login using another authentication token (e.g. an SSH key).
           To disable the account, administrators should use usermod
           --expiredate 1 (this set the account´s expire date to Jan 2, 1970).

           Users with a locked password are not allowed to change their

Best Regards,

More information about the Pkg-shadow-devel mailing list