In this answer, is was suggested that the UNIX way of adding a !
in front of the password field would work. I claim that this is not a clean solution. It will not make logins impossible, but merely it changes the password to the literal content of the password field (of which the first character is !
).
For example, assume the password field now looks like this:
!{CRYPT}$6$rounds=1000000$xxx$yyy
Here, xxx
stands for the salt, and yyy
for the hash.
That string will now be the user's password. For many practical purposes, this means the user cannot log in anymore, since she does not know her salt. But, in theory, by guessing the salt, login is still possible. Even worse, if an attacker obtains the LDAP database, he can now easily log in to this "locked" account, since hashing apparently is no longer used.
How can it be done instead?