[Pkg-shadow-devel] Bug#562221: manpages of passwd and usermod report wrong instructions about locking accounts

Paride Legovini legovini at spiro.fisica.unipd.it
Wed Dec 23 21:48:56 UTC 2009

Package: passwd
Version: 1:
Severity: normal

I found that the manpages of passwd and usermod report a non-working
procedure about how to lock accounts.

>From `man passwd':

-l, --lock
Note that this does not disable the account. The user may still be
able to login using another authentication token (e.g. an SSH key).
To disable the account, administrators should use usermod
--expiredate 1 (this set the account´s expire date to Jan 2, 1970).

and, from `man usermod':

-L, --lock
Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.

However, `usermod -e 1 <username>' does not set the expiraton date to
Jan 2, 1970 (1970-01-01 + 1day), but to the current date. This means
that the account won't be locked until the next day (this is the real

Ubuntu behaves differently, there `passwd -L' locks the password AND the
account by setting the expiration date to Jan 2, 1970. I think that this
might be a good way to implement account locking, and there'e no need to
mention 'usermod -e 1` in the manpages (or it must be fixed).

Hope this helps.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages passwd depends on:
ii  debianutils                   3.2.2      Miscellaneous utilities specific t
ii  libc6                         2.10.2-2   GNU C Library: Shared libraries
ii  libpam-modules                1.1.0-4    Pluggable Authentication Modules f
ii  libpam0g                      1.1.0-4    Pluggable Authentication Modules l
ii  libselinux1                   2.0.89-4   SELinux runtime shared libraries

passwd recommends no packages.

passwd suggests no packages.

-- no debconf information

More information about the Pkg-shadow-devel mailing list