• meow
    link
    fedilink
    arrow-up
    13
    ·
    1 year ago

    Their TL;DR is at the bottom:

    Summing up

    Over time, commands have become more complex to turn off user account passwords, and the attack surface of Linux systems has also increased. The correct procedure is as follows:

    1. Stop all Linux processes owned by the user:

    # killall -STOP -u

    1. Delete the user password:

    # passwd -d

    1. Lockdown the user account:

    # usermod -L -e 1

    1. Politely refuse a login for the user account:

    # usermod -s /usr/sbin/nologin

    Reversing all that is underneith the TL;DR:

    How do I reverse the procedure?

    First, set user login shell to /bin/bash:

    # usermod -s /bin/bash

    Unlock the user account:

    # passwd -u

    Set a new password for the user account:

    # passwd

    If the Linux system wasn’t rebooted and all processes weren’t killed unlock and resume all Linux processes owned by the user:

    # killall -CONT -u