Is there any possible solution to disable a User from the CLI e.g. over SSH? There has to be a dscl command for that. Or is there a dsAttrTypeStandard attribute that I can set accordingly?
Any pointers ?
Is there any possible solution to disable a User from the CLI e.g. over SSH? There has to be a dscl command for that. Or is there a dsAttrTypeStandard attribute that I can set accordingly?
Any pointers ?
pwpolicy
doesnt work for local accounts on OS X client. BUT You can use the dscl command to directly edit these authentication settings. This method is guaranteed to work for user-level OS X accounts (Guest, admin and other regular accounts which you would see listed on the login window). With this approach it doesn't matter whether the account is managed with OS-X Server / LDAP account. This method also works for all OSX System Accounts (which you would otherwise disable their login shells).
Here's how:
# Read the AuthenticationAuthority key
dscl . -read /Users/username AuthenticationAuthority
AuthenticationAuthority: ;Kerberosv5;; \
username@LKDC:SHA1.41BE28E3B64EB62A42D0673968B9591DE18210F5; \
LKDC:SHA1.07264456235E49D45C4B99FC9549FC366CE32343; ; \
ShadowHash;HASHLIST:<SALTED-SHA1>
If not already disabled, then append DisabledUser
to this key's value. With a semicolon for the field seperator. Excess / empty ; ;
fields are ignored.
dscl . -append /Users/username AuthenticationAuthority ";DisabledUser;"
To check an account's enabled / disabled status:
dscl . -read /Users/username AuthenticationAuthority | grep DisabledUser
For OSX System accounts: These accounts don't have an AuthenticationAuthority
key to begin with. Therefore to check their enabled / disabled status is determined by whether the UserShell
attribute has a valid login shell. So check the shell when AuthenticationAuthority
doesn't exist.
To re-enable the user account we just remove DisabledUser
sub-string from the AuthenticationAuthority entry. We use then use the dscl . -create
cmd and write-back the whole thing.
dscl . -read /Users/username AuthenticationAuthority | \
sed 's/AuthenticationAuthority: //;s/DisabledUser//g;s/[; ]*$//' | \
xargs dscl . -create /Users/username AuthenticationAuthority
Get the AuthenticationAuthority credentials for all users:
dscl . -list /Users AuthenticationAuthority
System accounts: Just remember that a system account must also have a valid login shell.
This works in 10.5 and 10.6 on LDAP/OD accounts:
pwpolicy -a diradmin -u ajohnson -setpolicy "isDisabled=1"
Or for local accounts:
sudo dscl . -create /Users/ajohnson UserShell /usr/bin/false
Replace ajohnson with the short username of the user you wish to disable.
To re-enable simply set "isDisabled=0" instead of 1. Or in the case of local accounts to any shell in /etc/shells
pwpolicy
example is from page 62 of the User Management Documentation (Snow Leopard) or Page 106 of the Command Line Administration Leopard manual.
We have some OSX clients authenticating from a Linux LDAP server. What worked for me was setting a user's loginShell attribute to /usr/bin/false. This seems to prevent both SSH and graphical logins.