# passwd -l root
effectively disables logging as root using its password - for example
su
will be impossible.
Note that there are other ways to perform operations as root:
- using "sudo $cmd"
- use key authentication for SSH login, it will not ask the root password.
The system will still need to run certain things as root in order for the machine to function properly.
Ah yes, this makes sense. The wording of the man page is a little confusing to me. It says after `passwd -l`, users can still log in. Then, it suggests disabling the account instead. Hence, I interpreted "disable" to mean "unable to login", whereas it seems that you are suggesting "disable" means "unable to do anything at all".
I've also tried to search more about using "x" instead of "!" in /etc/shadow, but can't find anything. I presume "x" is a better alternative since the new config files ship with it?
]]># passwd -l root
However, the man page suggests something different.
$ man passwd
...
-l, --lock
Lock the password of the named account. This option disables a password by changing it to a value which
matches no possible encrypted value (it adds a '!' at the beginning of the password).
Note that this does not disable the account. The user may still be able to login using another authentication
token (e.g. an SSH key). To disable the account, administrators should use usermod
--expiredate 1 (this set the account's expire date to Jan 2, 1970).
Should the wiki suggest this strategy instead?
Also, it seems like a recent update changed the default formatting of /etc/shadow, using "x" instead of "!" to denote no matching password? I haven't seen this documented anywhere.
]]>