Disable accounts in linux

Howto: Enable and Disable the User accounts in Linux/Unix

To disable an user account, just open the Terminal and run this command:

# passwd -l username (where username is the login id).

To enable an user account, just open the Terminal and run this command:

To check the status of the User, You can check this command message running this command:

For a disabled/Locked account it will show that “This account is currently not available.”

For a enabled/unlocked account it will Prompt for password for that particular user.

Tested Environments: Debian 7.2.0,6.0.5, Centos 6.0.

N.B.: For more information, Please make a comment and I will try to help you.

Share this:

Like this:

Related

4 thoughts on “ Howto: Enable and Disable the User accounts in Linux/Unix ”

It’s not a good idea to use passwd command to disable an account, in fact, the account is active and it is not been disabled by this command, only password has changed. You can use usermod command to disable an account ( usermod -L -e 1 ), but may be this is not what you need, that’s why you are using passwd instead of usermod, i guess.

passwd -l does not disable an account. The commands passwd -l or usermod -L lock a user account. The account may be unlocked using the command passwd -u A disabled account is a function of the variable INACTIVE. Once a password expires the system will use the INACTIVE setting to determine how many days it will wait before disabling the account.. When a regular use account is disabled an asterisk is placed in the encrypted password field of the file /etc/shadow for that user. To enable the account this asterisk must be removed and a password created for the account.

Источник

How do I completely disable an account?

How do I completely disable an account? passwd -l will not allow anyone to log into an account using a password but you can still log in via private/public keys. How would I disable the account completely? As a quickfix I renamed the file to authorized_keys_lockme . Is there another way?

Are you planning on re-enabling it eventually? System lockdowns? If not, I’d simply remove the account.

6 Answers 6

The correct way according to usermod(8) is:

usermod --lock --expiredate 1970-01-02

(Actually, the argument to —expiredate can be any date before the current date in the format YYYY-MM-DD .)

• —lock locks the user’s password. However, login by other methods (e.g. public key) is still possible.
• —expiredate YYYY-MM-DD disables the account at the specified date. According to man shadow 5 1970-01-01 is an ambiguous value and shall not be used.

I’ve tested this on my machine. Neither login with password nor public key is possible after executing this command.

To re-enable the account at a later date you can run:

usermod --unlock --expiredate ''

Don’t use 1970-01-01 as it will set /etc/shadow expiration field to 0. shadow(5) The value 0 should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970. Please use: usermod —lock —expiredate 1970-02-02

It would be great if you could also provide the method to reverse this operation. Looks like usermod —unlock —expiredate » username will do it.

Adding to what @MarcusMaxwell wrote: The man page for usermod says: Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.

Lock the password and change the shell to /bin/nologin .

sudo usermod --lock --shell /bin/nologin username 

(Or more concisely, sudo usermod -L -s /bin/nologin username .)

@mattdm This is not a complete solution, as a user can still specify a command to be executed. For example ssh username@hostname /bin/bash will give the user a bash prompt, regardless of the default shell.

@phunehehe — have you tried it? You’ll get, in the log, «User [username] not allowed because shell /bin/nologin does not exist».

As far as I know, the invalid-shell behavior isn’t actually documented. On the other hand, the man page says that if the password is has a leading !! on Linux the account will be treated as locked, and that doesn’t actually work. So, y’know, documentation and reality are only approximate matches anyway. 🙂

sudo chsh -s /bin/nologin would be better than editing /etc/passwd by hand. Also, on some systems, it’s /sbin/nologin .

Here is another simple way. You can set the user account expired. This will prevent both password-based and ssh key-based logins for the account, but does not touch the password.

To lock the account:

The user account ‘username’ will be locked out on the system. To re-enable the user account, do the following.

To unlock the account:

The user account ‘username’ will be re-enabled on your system with the same password as before. The ‘chage’ binary is part of the shadow-utils package on Red Hat Linux, or the passwd package on Debian Linux.

I don’t have sufficient rep to comment on Legate’s answer, but I wanted to share that this answer helped us with another use case:

1.) account in question is a local service account running an application, not an end user account.

2.) end users ssh in as themselves, and sudo /bin/su to become user and administer application due to an audit trail requirement that service account cannot have direct login ability.

3.) service account must have a valid shell ( /bin/bash , not /sbin/nologin ), because an Enterprise Scheduling Platform (agent runs as root locally) must be able to su — and does not have the su -s /bin/bash ability that a full shell does, and is needed to run jobs remotely for larger batch operations that encompass multiple servers and databases.

passwd -l
Doesn’t satisfy constraints because public key authentication bypasses PAM and still allows direct login.

usermod -s /sbin/nologin
Doesn’t satisfy constraints becausebreaks the enterprise scheduler

usermod —lock —expiredate 1970-01-01
This is our winner. Remote login disabled, yet root can still su , as can other users via sudo so the scheduler functions properly and authorized end users can become the target service account as needed.

Thank you for the solution!

Источник

How To Disable or Lock Linux User Account?

How can I disable some Linux account? By disabling it I do not want to remove the account and related files. Just user related operations will be prevented. If an user authentication occurs it will be not authenticated. We will use usermod command to lock user account.

Disable/Lock User Account with usermod Command

We will disable account with the following code.

• usermod will change user account related attributes and information.
• -L will lock given account and put ! in the user passwords database before encrypted password.
• -e 1 will set expire date from 1/1/1970

Disable/Lock User Account with chage Command

chage command is use to set user account expiration time for password. If we set previous than the current date the given account will be locked automatically. We provide the date in YYYY-MM-DD format. In this example we will lock user ismail .

$ sudo chage -E 2010-01-01 ismail

Disable/Lock User Account with passwd Command

We can also use passwd command in order to lock given user account. We will provide -l option which means lock. In this example we will lock user ismail

Disable/Lock User Account From /etc/shadow

/etc/shadow file stores the user password in encrypted format. If ! is added before hash value of the user password the user account will be disabled or locked. As an example we can lock user test with the following line. Attention to the ! at the begging of the password hash value.

test:$6$!0G2HVsS0JZ3wqfK6$ClYJYYWaLhI5

Disable/Lock User Account From /etc/passwd

/etc/passwd file also store information about the user. An user account can be also locked from this file in two different ways.

Disable User Login with nologin

We can disable an user account login from the /etc/passwd file at the end of line like /bin/bash which specifies the user shell. We will change to the /bin/nologin which is not a login shell.

Adding ! After Username

Another way is adding ! after username and before x like below.

Unlock/Enable User

After some time we may need to enable or unlock given user account there are different ways to unlock an user account. Here some of them with chage and passwd command.

Check User Lock Configuration

We will check the status of this account from configuration file. Is the account disabled?

We can also check the user configuration whether it is locked or not with the chage command like below.

How To Disable or Lock Linux User Account? Infografic

Источник