add USER:HAS-LOCKED-PASSWORD

This is useful when access is provided by other means (e.g. ssh keypairs) or
as part of locking a user out completely.

Signed-off-by: David Bremner <david@tethera.net>

2 files changed, 12 insertions, 0 deletions

diff --git a/src/package.lisp b/src/package.lisp
index 09dfd58..74d9fa4 100644
--- a/src/package.lisp
+++ b/src/package.lisp
@@ -451,6 +451,7 @@
            #:has-desktop-groups
 	   #:has-login-shell
            #:has-enabled-password
+           #:has-locked-password
 	   #:passwd-entry))
 
 (defpackage :consfigurator.property.chroot
diff --git a/src/property/user.lisp b/src/property/user.lisp
index 516b809..84ddc43 100644
--- a/src/property/user.lisp
+++ b/src/property/user.lisp
@@ -109,6 +109,17 @@ and then this property will do nothing."
   (:apply
    (mrun :input (format nil "~A:~A" username initial-password) "chpasswd")))
 
+(defprop has-locked-password :posix (username)
+  "Ensure that USERNAME cannot login via a password."
+  (:desc #?"${username} has a locked password")
+  (:hostattrs (os:required 'os:debianlike))
+  (:check
+   (assert-euid-root)
+   (string= "L" (cadr (split-string (run "passwd" "-S" username)))))
+  (:apply
+   (assert-euid-root)
+   (mrun "passwd" "--lock" username)))
+
 (defun %getent-entry (n name-or-id &optional (database "passwd"))
   "Get the nth entry in the getent(1) output for NAME-OR-ID in DATABASE."
   (let ((u (etypecase name-or-id