1 00:00:03,160 --> 00:00:08,800 Now let's cover the last piece of this puzzle which is how to disable or how to lock an account without 2 00:00:08,830 --> 00:00:10,720 actually deleting it. 3 00:00:10,720 --> 00:00:16,110 Let's say you have someone who's going on an extended vacation or taking a leave of absence. 4 00:00:16,210 --> 00:00:18,470 You want them to use their account when they get back. 5 00:00:18,520 --> 00:00:24,190 But you also know that for every account that exist on a system there is a chance that someone can break 6 00:00:24,220 --> 00:00:29,390 into that account since this person is going to be away for a long time. 7 00:00:29,470 --> 00:00:34,950 No one may actually notice if the account is being used by someone who should not have access to it. 8 00:00:34,960 --> 00:00:39,260 So let's say you decide to go ahead and lock that account for security reasons. 9 00:00:39,370 --> 00:00:45,610 The best way to do this is to actually use the S.H. AGC command or change or change age. 10 00:00:45,700 --> 00:00:48,670 Actually you can think of it as the change age command. 11 00:00:48,700 --> 00:00:55,610 So let's look at the man page for this command page down here till we get to the dash capital E option 12 00:00:55,610 --> 00:00:58,690 and that's the option to expire an account. 13 00:00:58,820 --> 00:01:05,900 Here it says you can specify either a date or the number of days since January 1st 1970. 14 00:01:05,900 --> 00:01:12,740 It also says to unexpired the account use negative 1 or Dash 1 or hyphen 1 or the argument to the dash 15 00:01:12,740 --> 00:01:14,150 capital E options. 16 00:01:14,180 --> 00:01:16,130 So let's go ahead and try this out. 17 00:01:16,520 --> 00:01:23,610 So we have a user on the system called was this user has a you idea of 1008 if we change to this user 18 00:01:23,640 --> 00:01:25,320 Let's see if it's working here. 19 00:01:26,500 --> 00:01:32,320 Sure enough it is I created it with a password of past 2:59 in my particular system and may not be that 20 00:01:32,350 --> 00:01:34,690 on your system just something to keep in mind. 21 00:01:34,990 --> 00:01:35,740 Type exit here. 22 00:01:35,740 --> 00:01:37,720 Now back to the vagrant user. 23 00:01:37,720 --> 00:01:39,720 So let's expire this account. 24 00:01:42,590 --> 00:01:46,970 Now let's try to switch to the camp. 25 00:01:47,170 --> 00:01:49,420 And sure enough it says hey your account is expired. 26 00:01:49,510 --> 00:01:52,210 Please contact your system administrator. 27 00:01:52,330 --> 00:01:58,060 So as we learned from the man page we can actually unlock this account with dash dash 1 So what do you 28 00:01:58,060 --> 00:02:05,310 say to change the age of the expiration to negative 1 on the account of ys. 29 00:02:05,320 --> 00:02:11,930 Now let's see if we can log into this account and sure enough we can and there's been one failed log 30 00:02:11,930 --> 00:02:14,540 in attempts since we logged in while the account was locked. 31 00:02:14,560 --> 00:02:20,590 Let's get back out and go back to a vagrant user some older methods of locking account include using 32 00:02:20,590 --> 00:02:23,100 the dash option to pass or something like this. 33 00:02:24,330 --> 00:02:30,360 So password ESHO was and then it says hey I've lost the account and then to unlock it you would use 34 00:02:30,360 --> 00:02:36,720 Piazza's to budy you against the counter name in and sure enough it says hey we've unlocked that user 35 00:02:36,780 --> 00:02:38,560 and you're good to go now. 36 00:02:38,580 --> 00:02:44,280 Locking in account with a password command like this does not prevent a user authenticating with an 37 00:02:44,280 --> 00:02:45,410 S-sh key. 38 00:02:45,440 --> 00:02:50,520 It's very important to know especially since as more and more we're using S-sh keys as our primary method 39 00:02:50,520 --> 00:02:51,800 of authentication. 40 00:02:51,930 --> 00:02:56,460 So if you're using S-sh keys at all this is not going to do what you think it's going to do. 41 00:02:56,460 --> 00:02:57,720 So don't do it. 42 00:02:57,730 --> 00:03:00,900 Use S.H. AGP instead. 43 00:03:00,900 --> 00:03:06,000 Another method is to set the shell to something that is actually not a shell or something that simply 44 00:03:06,090 --> 00:03:11,970 exits to look at the available shells on a system you can look at the sea shells fall into that cat 45 00:03:12,330 --> 00:03:20,040 at sea shells and all see here Espin no log in user has been log and those would in theory prevent someone 46 00:03:20,040 --> 00:03:21,250 from logging in. 47 00:03:21,270 --> 00:03:29,820 So let's do then we'll set the shell of the WAAS user to be no log in with the user maade command dash 48 00:03:29,910 --> 00:03:36,540 S is to specify the shell will give it no log in and we'll set that to was. 49 00:03:36,870 --> 00:03:41,100 I think I've covered enough in this lessness I'm not going to take another diversion and cover the user 50 00:03:41,100 --> 00:03:42,010 mode command. 51 00:03:42,060 --> 00:03:46,800 So if you want to learn more about how to change all the settings for an existing account simply read 52 00:03:46,800 --> 00:03:49,080 the user maade man page. 53 00:03:49,230 --> 00:03:55,350 At first glance you think that this might actually work because if you S-sh in and you have no log in 54 00:03:55,380 --> 00:03:56,650 that is your shell. 55 00:03:56,700 --> 00:04:00,010 You'll get immediately logged out of the system. 56 00:04:00,090 --> 00:04:06,540 It does work for interactive log like I just described but you can still do some things with S-sh that 57 00:04:06,540 --> 00:04:13,450 don't require an interactive log in or don't require a shell such as port forwarding. 58 00:04:13,770 --> 00:04:21,620 So again use the S.H. age command where the dash capital-T has zero option to actually disable the account. 59 00:04:21,630 --> 00:04:27,240 We spent a lot of time here at the command line today so are fun let's write a quick shell script that 60 00:04:27,240 --> 00:04:30,880 deletes a user account using some of what we've seen today. 61 00:04:30,900 --> 00:04:34,720 So let's go ahead and go into our shared folder of Ford slash vagrant. 62 00:04:34,720 --> 00:04:39,900 I'm going to call this particular scrap l user Dymo 12. SH 63 00:04:42,590 --> 00:04:45,330 goes without saying we need a bang. 64 00:04:45,770 --> 00:04:47,240 Let's give this a description 65 00:04:52,960 --> 00:04:55,290 since we're doing some system administrator type stuff. 66 00:04:55,300 --> 00:04:58,890 We want to make sure the user is executing the script with root privileges. 67 00:04:58,900 --> 00:05:00,310 We already know how to do this check 68 00:05:06,780 --> 00:05:08,610 if the user ID is not equal to zero. 69 00:05:08,610 --> 00:05:10,460 That means they are not the root account. 70 00:05:10,590 --> 00:05:12,610 So let's give them a little message here. 71 00:05:19,530 --> 00:05:26,770 Let's right that that's standard air and exit one OK let's just assume which is on to get the word by 72 00:05:26,770 --> 00:05:32,750 the way assume the first argument is the user to delete. 73 00:05:33,010 --> 00:05:36,930 Well keep this script simple here just for demonstration purposes. 74 00:05:37,000 --> 00:05:44,020 So we're just going to use a variable to represent the user will call that user sign that dollar sign 75 00:05:44,020 --> 00:05:49,240 one by the way you could use Dallas and one throughout the script that would be acceptable. 76 00:05:49,250 --> 00:05:52,280 I just like to have a descriptive variable name. 77 00:05:52,280 --> 00:05:54,210 So now let's go ahead and delete the user 78 00:05:58,570 --> 00:06:02,200 and let's make sure the user actually got deleted. 79 00:06:05,040 --> 00:06:10,840 When we can do that by checking the return code or exit status of these Adell command and if it's anything 80 00:06:10,840 --> 00:06:13,500 but zero we know it's bad news. 81 00:06:30,760 --> 00:06:35,860 So if we get past this if statement that means the user del command succeeded and that means we can 82 00:06:35,860 --> 00:06:40,180 tell the user that the account was actually deleted 83 00:06:45,050 --> 00:06:50,360 we can tell them which account was deleted which they specified. 84 00:06:50,550 --> 00:06:54,990 And then if we make it to the end of the script we exit with an exit status is zero because we've had 85 00:06:55,230 --> 00:07:02,170 a normal completion came in or on chmod here and make sure this is executable and then let's execute 86 00:07:02,170 --> 00:07:07,290 it with root privileges and let's delete a user actually let's look at the last user and that's the 87 00:07:07,300 --> 00:07:09,730 password file on this particular system. 88 00:07:09,790 --> 00:07:10,970 It is more. 89 00:07:11,080 --> 00:07:16,460 So let's see this delete the account called more. 90 00:07:16,530 --> 00:07:19,000 It says the account more was deleted. 91 00:07:19,220 --> 00:07:19,820 We checked. 92 00:07:19,830 --> 00:07:21,520 Sure enough it's not there. 93 00:07:21,740 --> 00:07:25,600 Let's do something interesting like tried to delete an account that doesn't exist. 94 00:07:27,360 --> 00:07:30,050 Hayes's user Dell user Jason does not exist. 95 00:07:30,050 --> 00:07:32,920 That's actually an error message from the user Dell command. 96 00:07:33,170 --> 00:07:35,510 And then our error message is displayed. 97 00:07:35,510 --> 00:07:40,760 The account Jason was not deleted and that's because we checked for the exit status. 98 00:07:40,760 --> 00:07:44,660 These are now command OK let's wrap this up. 99 00:07:44,690 --> 00:07:50,580 And this particular lesson you learn how to delete an account using the user Dell command. 100 00:07:50,780 --> 00:07:56,780 If you want to remove the user's home directory use the dash or option to the user del command to find 101 00:07:56,780 --> 00:08:03,130 files on a system use to find locate or ls commands to create an archive of files. 102 00:08:03,140 --> 00:08:04,780 Use the tar command.