Am 24.01.19 um 17:36 schrieb Corinna Vinschen:
>> If an admin can lock out an account (separately from disabling it
>> entirely), say, by setting an initial password, checking the "user must
>> change password on first login", and also checking "user is not allowed
>> to change password" simultaneously (if that's possible), or, say, by
>> just setting a random password without telling it to anyone ever,
>> followed by firing so many login attempts at the account that it gets
>> locked out, then telling them apart and treating locked out accounts
>> differently would make sense, IMO.

> This description sounds extremly artificial to me.

> We should work under
> the assumption that the admin is the good guy.

Uh, where did I imply anything else?


>  Usually a user locks
> itself out, or is locked out by a malicious login attempt.  The admin
> can only define rules for locking out, other than that she can only
> remove the "account locked" flag.

The methods listed above, well, at least the "brute force" one, would
work for intentionally creating an account that is locked out, but not
disabled - as a good guy admin.

And the reason for doing so would be the same as running "passwd -l
username" on Linux - You don't want your users to log in with a
password, because you consider that too insecure - instead, you want
them to use the (hopefully passphrase-protected) SSH key file.

Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243