* NEWS, src/passwd.c: For compatibility with other passwd version,

the --lock an --unlock options do not lock or unlock the user
	account anymore.  They only lock or unlock the user's password.
	* man/passwd.1.xml: Document above change. Document how an account
	can be locked and what a password lock means.

ChangeLog

@@ -1,3 +1,11 @@
+2008-08-17  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/passwd.c: For compatibility with other passwd version,
+	the --lock an --unlock options do not lock or unlock the user
+	account anymore.  They only lock or unlock the user's password.
+	* man/passwd.1.xml: Document above change. Document how an account
+	can be locked and what a password lock means.
+
 2008-08-15  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* man/groupadd.8.xml: Fix the regular expression for group policy.

NEWS

@@ -17,6 +17,10 @@ shadow-4.1.2.1 -> shadow-4.1.3						UNRELEASED
   * /etc/group is open readonly when one just wants to list the users of a
     group.
   * Added syslog support.
+- passwd
+  * For compatiobility with other passwd version, the --lock an --unlock
+    options do not lock or unlock the user account anymore.  They only
+    lock or unlock the user's password.
 
 shadow-4.1.2 -> shadow-4.1.2.1						26-06-2008
 

man/passwd.1.xml

@@ -196,9 +196,21 @@
 	</term>
 	<listitem>
 	  <para>
-	    Lock the named account. This option disables an account by changing
+	    Lock the password of the named account. This option disables a
-	    the password to a value which matches no possible encrypted value,
+	    password by changing it to a value which matches no possible
-	    and by setting the account expiry field to 1.
+	    encrypted value (it adds a ´!´ at the beginning of the
+	    password).
+	  </para>
+	  <para>
+	    Note that this does not disable the account. The user may
+	    still be able to login using another authentication token
+	    (e.g. an SSH key). To disable the account, administrators
+	    should use <command>usermod --expiredate 1</command> (this set
+	    the account's expire date to Jan 2, 1970).
+	  </para>
+	  <para>
+	    Users with a locked password are not allowed to change their
+	    password.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -242,7 +254,8 @@
 	  <para>
 	    Display account status information. The status information
 	    consists of 7 fields. The first field is the user's login name. 
-	    The second field indicates if the user account is locked (L),
+	    The second field indicates if the user account has a locked
+	    password (L),
 	    has no password (NP), or has a usable password (P). The third
 	    field gives the date of the last password change. The next four
 	    fields are the minimum age, maximum age, warning period, and
@@ -257,9 +270,10 @@
 	</term>
 	<listitem>
 	  <para>
-	    Unlock the named account. This option re-enables an account by
+	    Unlock the password of the named account. This option
-	    changing the password back to its previous value (to value before
+	    re-enables a password by changing the password back to its
-	    using <option>-l</option> option), and by resetting the account
+	    previous value (to the value before using the
+	    <option>-l</option> option), and by resetting the account
 	    expiry field.
 	  </para>
 	</listitem>
@@ -402,6 +416,9 @@
       <citerefentry>
 	<refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>.
+      <citerefentry>
+	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
     </para>
   </refsect1>
 </refentry>

src/passwd.c

@@ -79,11 +79,11 @@ static bool
     eflg = false,			/* -e - force password change */
     iflg = false,			/* -i - set inactive days */
     kflg = false,			/* -k - change only if expired */
-    lflg = false,			/* -l - lock account */
+    lflg = false,			/* -l - lock the user's password */
     nflg = false,			/* -n - set minimum days */
     qflg = false,			/* -q - quiet mode */
     Sflg = false,			/* -S - show password status */
-    uflg = false,			/* -u - unlock account */
+    uflg = false,			/* -u - unlock the user's password */
     wflg = false,			/* -w - set warning days */
     xflg = false;			/* -x - set maximum days */
 
@@ -163,13 +163,13 @@ static void usage (int status)
 	         "  -k, --keep-tokens             change password only if expired\n"
 	         "  -i, --inactive INACTIVE       set password inactive after expiration\n"
 	         "                                to INACTIVE\n"
-	         "  -l, --lock                    lock the named account\n"
+	         "  -l, --lock                    lock the password of the named account\n"
 	         "  -n, --mindays MIN_DAYS        set minimum number of days before password\n"
 	         "                                change to MIN_DAYS\n"
 	         "  -q, --quiet                   quiet mode\n"
 	         "  -r, --repository REPOSITORY   change password in REPOSITORY repository\n"
 	         "  -S, --status                  report password status on the named account\n"
-	         "  -u, --unlock                  unlock the named account\n"
+	         "  -u, --unlock                  unlock the password of the named account\n"
 	         "  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS\n"
 	         "  -x, --maxdays MAX_DAYS        set maximim number of days before password\n"
 	         "                                change to MAX_DAYS\n"
@@ -487,8 +487,8 @@ static char *update_crypt_pw (char *cp)
 	if (uflg && *cp == '!') {
 		if (cp[1] == '\0') {
 			fprintf (stderr,
-				 _("%s: unlocking the user would result in a passwordless account.\n"
+				 _("%s: unlocking the password would result in a passwordless account.\n"
-				   "You should set a password with usermod -p to unlock this user account.\n"),
+				   "You should set a password with usermod -p to unlock the password of this account.\n"),
 				 Prog);
 		} else {
 			cp++;
@@ -597,15 +597,6 @@ static void update_shadow (void)
 	if (do_update_age) {
 		nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 	}
-	if (lflg) {
-		/* Set the account expiry field to 1.
-		 * Some PAM implementation consider zero as a non expired
-		 * account.
-		 */
-		nsp->sp_expire = 1;
-	}
-	if (uflg)
-		nsp->sp_expire = -1;
 
 	/*
 	 * Force change on next login, like SunOS 4.x passwd -e or Solaris
@@ -707,12 +698,12 @@ static int check_selinux_access (const char *changed_user,
  *	-g	execute gpasswd command to interpret flags
  *	-i #	set sp_inact to # days (*)
  *	-k	change password only if expired
- *	-l	lock the named account (*)
+ *	-l	lock the password of the named account (*)
  *	-n #	set sp_min to # days (*)
  *	-r #	change password in # repository
  *	-s	execute chsh command to interpret flags
  *	-S	show password status of named account
- *	-u	unlock the named account (*)
+ *	-u	unlock the password of the named account (*)
  *	-w #	set sp_warn to # days (*)
  *	-x #	set sp_max to # days (*)
  *