Account locking in linux

UNIX / Linux : How to lock or disable an user account

There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.

1. Lock the password

To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :

2. Expire the user account

The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

3. Changing the shell

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin [username]

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify if the account is locked or disabled.

For each of the methods described above, you can verify if the user account is locked/disabled using below methods.

1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status root root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)

2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.

# chage -l root Last password change : Jul 19, 2017 Password expires : Sep 02, 2017 Password inactive : never Account expires : Sep 02, 2017 Minimum number of days between password change : 0 Maximum number of days between password change : 45 Number of days of warning before password expires : 7

3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.

# grep ^root /etc/passwd root:x:0:0:root:/root:/sbin/nologin

Источник

How to Lock and Unlock User in Linux

How do you lock a user account in Linux? Even more importantly, how do you unlock the user in Linux? Learn various ways of locking and unlocking users in Linux command line.

3 ways to lock and unlock user accounts in Linux

There could be a number of reasons why you would want to disable a user in your multi-user Linux environment. Perhaps an employee left the organization and instead of deleting the user altogether, lock the account for archival purpose.

In this tutorial, I’ll show you three ways to lock a user in Linux command line. I’ll also discuss how to unlock the user.

Method 1: Lock and unlock users with passwd command

The passwd command in Linux deals with passwords of a user account. You can also use this command to lock a user account.

The command basically works on the /etc/passwd file. You may manually modify this file but I advise against it.

To lock a user with the passwd command, you can use the option -l or –lock in this manner:

Verify the status of a user with passwd command

You can learn whether a user is locked or unlocked using the option -S or –status of passwd command.

passwd -S user_name

Look at the second field in the output. Here’s what it means:

– P or PS: password is set (user is unlocked)
– L or LK: User is locked
– N or NP: No password is needed by the user

Here’s a sample output of the passwd command:

standard P 10/14/2019 0 99999 7 -1

To unlock the user with passwd command, you can use the option -u or –unlock:

On Ubuntu, you’ll see an output like this for both locking and unlocking the user:

passwd: password expiry information changed

What about login via SSH?

There is a major problem with locking users this way. Since it only works with the /etc/passwd file, the locked user will still be able to log in via SSH keys (if login via SSH key is set). I’ll show you how to deal with it in the next section.

Method 2: Lock and unlock users with usermod command

You can also use the usermod command. The command is primarily used for modifying user accounts in Linux. You can also modify the state of a user by locking or unlocking with usermod.

To lock the user, you can use the -L option in this manner:

To unlock the user, you can use the -U option:

How do you verify if the user is locked or not? The usermod command also works on the /etc/passwd file so you can use the passwd -S user_name command to check the status of the user.

But usermod also works with the /etc/passwd file so this means the locked user could still be able to login via SSH keys, right? That’s right. But there are ways to overcome this problem.

For example, you can change the shell of the user to nologin and this will not allow the user to login to a shell.

Another method is to lock the user and provide an expired date in the past. What it does is that it disables the account on a past date and then locks it.

Make sure that the past date is between 1970-01-02 and the current date.

usermod -L --expiredate 1970-01-02 user_name

You can reverse it with this command:

usermod -U --expiredate '' user_name

There is a similar way to lock the user in Linux with chage command. Let’s see it in the next section.

Method 3: Lock and unlock users with chage command

The chage command is used for changing the user password expiry information. It can be used to automatically lock an inactive user after certain number of days of inactivity.

Basically what you did with the usermod command in the previous section can be achieved with chage command like this:

Basically, you have set the expired date to 1970-01-02. You can see the details like this:

[email protected]:~$ sudo chage -l standard Last password change : Nov 07, 2019 Password expires : never Password inactive : never Account expires : Jan 02, 1970 Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7

You can remove the expiry date and thus unlock the user in this manner:

As always, there are various ways to accomplish a task in Linux command line. I have shown here three methods to lock and unlock users in Linux. Do you know a better way or do you have some best practices suggestion for locking users? Do share it in the comment section.

Источник

Best ways to Lock and Unlock a User Account in Linux

T he Linux based systems have been an indomitable part of system management, especially most of the back-end systems. There are many tools designed just for that, even if we simply look at the Linux kernel + GNU utilities.

A critical part of any administrator is the ability to manage user accounts. In this article, we are going to demonstrate the different ways in which a user account can be locked and unlocked in a Linux system. This is distro independent.

Locking and Unlocking the User Accounts

Locking Passwords

It is important to note that the first two methods that involve locking the password of the user account only work if there are no alternate ways of login available to the user. For example, if the user has the option to log in through SSH, locking passwords will be useless in that case. The latter options show how to fix this.

1. usermod command

The usermod command is a one-stop solution for modifying a user account and houses an option to lock a user account password. With a simple -L flag, usermod just does the job. The command looks like this:

Unlock

The command to unlock a user locked this way uses the -U flag. The command is as follows:

2. passwd command

Another option when it comes to managing passwords is the passwd command. It also has an option to lock the password of an account.

Unlock

To unlock the user locked with the -l flag of passwd, the -u (unlock) flag needs to be used. The command looks like this:

Under the Hood

What happens when you issue either of these commands can be seen in the /etc/shadow file. This file holds an encrypted version of the password along with the user name. If you check before and after locking the password of a user, you can see that there is an exclamation mark (!) before the encrypted password, which indicates that the password has been locked.

Normal state of the account

Of course, you can also do this manually, and it will have the same effect. We do not recommend it though.

Check Status

There is a simple command to check whether an account is locked or not. The command is:

sudo passwd --status [Username]

If there is “L” present in the output after the username, that means that the user account is locked.

Locking Accounts

It is repeatedly mentioned, even in the man page of the passwd command and the usermod command, that locking the password is not an efficient way of locking out a user. It can be bypassed if the user can use SSH authentication to log in. To fix that, we can lock the account itself. We can achieve this by expiring the user account.

1. usermod

There is no denying the fact that usermod really in the one-stop solution to almost all account configurations needed. We could lock the password through usermod, and we can also expire the user account so that no further logins are even possible.

sudo usermod --expiredate 1 [Username]

This immediately disables the user account.

2. chage

The chage command is used to modify user account expiry information. We can use the -E flag to set the expiration date to 0, which is disabling the user account.

Expiring account with chage

Unlocking

Since we are terminating the user account here, the obvious antidote to the situation is changing the expiry date of the user account to something else. If you want it so that the user account never expires, you can use this command to achieve that:

Otherwise, if you’re going to set a specific date, you can do that too:

sudo chage -E YYYY-MM-FF [Username]

Check Status

We are expiring the account here, and such information can easily be checked using the chage command again. The command to verify the information is:

Under the Hood

Similar to locking a user account password, the /etc/shadow file changes when a user account expires. Before the last colon of the entry of the user, there will be ‘1’ instead of it being empty. That space indicates the expiry of an account.

Normal state of the account

Again, you can do this manually, but we do not recommend it.

Changing Shell

When a user logs in, he/she is using what is called a login shell. You might not have seen this a lot of times, but if you dare, try this combination: CTRL+ALT+F1, and you will get a text-based interface, which prompts you for a login and password before letting you use any commands. This is called a login shell.

1. Changing the shell to nologin

Naturally, one way of locking out a user is to not even let that user log in, in the first place. Thus, the shell of that user can be changed to the nologin shell with this command:

sudo usermod -s /sbin/nologin [Username]

Changing shell to nologin

This displays a polite message indicating that the user is not allowed to log in.

2. Changing the shell to false

There is also the option of changing the shell to false, which unlike nologin (which displays a message), just logs the user back out whenever the user tries to log in. It’s a bit extreme, but also useful.

sudo usermod -s /bin/false [Username]

Reversal

This can be reversed by changing the shell back to the default shell of the user. You can find what the default shell is by comparing the shells of the other users of the system in the /etc/passwd file. Generally, it is the Bash shell on most Linux systems. So to set to that:

sudo usermod -s /bin/bash [Username]

Under the Hood

You can see the difference here, too. If you read the file /etc/passwd, you will be able to see the shells being used by the users. Now, if you see the shell being used by the concerned user, it will probably be /bin/bash by default. When the shell is changed, the content of the file changes.

You can directly change the contents of /etc/passwd to change the shell to achieve the same results given by the above commands. There is a risk, though, and we do not recommend it.

Conclusion

This one simple activity of locking a user account alone demonstrates how great Linux systems are for administrative tasks. There is a multitude of options available to achieve any given result, and such flexibility is always appreciated. If you have any questions, feel free to use the comments section.

Источник