This was reported to security@redhat.com by Jason Savoie.  I have verified this
behavior on RHEL3.


Purpose: To disable an account from ssh/telnet/rsh login
Issue: executed the passwd -d <username> command and can still login as
that person with the old password


Hello, I was testing to see how I can make an account unavailable from
normal logins and also from using and ssh publickey authentication (if
they had it and we didn't know it unless we log into account and
manually remove it)


So, here is what I did.

# Created a test account on a machine running the following RH release

-bash-2.05b$ uname -a
Linux orange.westernasset.com 2.4.21-15.ELsmp #1 SMP Thu Apr 22 00:09:01
EDT 2004 x86_64 x86_64 x86_64 GNU/Linux
-bash-2.05b$ id
uid=4086(jsavoie) gid=151(ops) groups=151(ops)
-bash-2.05b$ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 3 (Taroon Update 2)


# Created the account

sudo /usr/sbin/useradd -u 6666 test

# Gave it a password
sudo passwd test

# Went to another machine and logged in.

[jsavoie@rancho jsavoie]$ uname -a
Linux rancho.westernasset.com 2.4.21-15.ELsmp #1 SMP Thu Apr 22 00:09:01
EDT 2004 x86_64 x86_64 x86_64 GNU/Linux
[jsavoie@rancho jsavoie]$ ssh test@orange
test@orange's password:
[test@orange test]$

# Went to the test server and removed the password using the passwd -d
<username> command

bash-2.05b$ sudo passwd -d test
Removing password for user test.
passwd: Success

-bash-2.05b$ sudo grep test /etc/shadow
test::12825:0:99999:7:::

# Now, login from the other machine

[jsavoie@rancho jsavoie]$ ssh test@orange
test@orange's password:
Permission denied, please try again.
test@orange's password:
[test@orange test]$

(NOTE: the first time above was no passwd, then the old password and it
worked!!!)