Linux disable all users

UNIX / Linux : How to lock or disable an user account

There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.

1. Lock the password

To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :

2. Expire the user account

The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

3. Changing the shell

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin [username]

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify if the account is locked or disabled.

For each of the methods described above, you can verify if the user account is locked/disabled using below methods.

1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status root root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)

2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.

# chage -l root Last password change : Jul 19, 2017 Password expires : Sep 02, 2017 Password inactive : never Account expires : Sep 02, 2017 Minimum number of days between password change : 0 Maximum number of days between password change : 45 Number of days of warning before password expires : 7

3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.

# grep ^root /etc/passwd root:x:0:0:root:/root:/sbin/nologin

Источник

How to deactivate or disable a user account in Ubuntu 20.04 LTS

If you want to disable any user to prevent that the user logs into his/her account on Ubuntu or lock the user’s account so he/she won’t be able to log in and access the privileged rights, you can do it in three ways through command line input (CLI). This article will explain and demonstrate these 3 ways through which you can perform the specified task.

Prerequisites

Disabling a user in Ubuntu

Follow the below explained ways to inactivate a user in ubuntu 20.04 LTS.

Method 1: Lock the password

For locking the user’s account password, there are 2 commands for doing it. The commands are:

These two commands will put an exclamation mark “!” in the second field of the /etc/passwd file. This addition of an exclamation mark will be sufficient to lock the user account’s password.

Using the “usermod -L” command

Run the following command in terminal to lock the password:

For this particular article, the user whose account I want to lock is “muneeb” so the username in the above command will be “muneeb”.

Entering the above command will ask for the root account password first to proceed. Type the password and hit enter to proceed.

Using the “passwd -l” command

Run the following command to lock the password in the terminal.

For using this command, the particular user ( according to my system) is “Zahid” whose account I want to disable to login into his account. So, the username in the above command will be “Zahid”. This command

After running the above command, the terminal will ask for the root’s password first. Enter the root’s password to proceed further.

Method 2: Expire the user account

The lock password way has some cons as well. It sometimes doesn’t completely forbid the specified user’s login into the system by SSH ( Secure Shell) public keys. The other way through which a user’s account can be permanently disabled or inactivated is expiring the specified user’s account. To do so, run the following command in the terminal:

The username will be “Zahid” in the above command for this particular article.

Expiring Zahid’s account will close up all the access methods to be used by him. This command involves using the 8th field from the /etc/passwd file.

Method 3: Change the Shell

The third way can be changing the shell. The changed shell will be /sbin/nologin from the default shell. It will then not let any user login into the system. It involves using the 7th and the last field of the /etc/passwd file. You can do this by running the following command:

$ sudo usermod -s /sbin/nologin username

For this particular article, the username in the above command will be “Zahid”.

Running the above command will first ask for the root’s password to proceed. Type the password and hit enter.

Confirming whether the account has been disabled or inactive

1. Verify the user’s status (Locked/Unlocked)

After getting done with the above ways of locking the account, verify whether the user has been locked or disabled by running the following command:

$ sudo passwd --status username

As mentioned above, the username in the above command will be “Zahid” for this particular article, whose account I have locked. Running the above command will give you the following status update. Look for the “L” flag in the output that shows whether the account has been locked or not.

2. Look for the non-interactive Shell

Check and verify that the locked user’s shell has been changed to a non-responding or interactive shell that is /sbin/nologin by running the following command.

$ sudo grep ^username /etc/passwd

For this particular article, the username will be “Zahid” in the above command. Running the above will give you the following output.

Conclusion

In this article, you will get to know about different ways of locking or disabling any user’s account. Being a Linux system administrator, you frequently need to manage multiple user accounts at a time easily by enabling or disabling some user accounts according to required specifications. Though each way has its own pros and cons, you can use any of the demonstrated ways as per your system efficiency.

Search

About This Site

Vitux.com aims to become a Linux compendium with lots of unique and up to date tutorials.

Latest Tutorials

Источник

How to enable or disable a user?

I’m uing ubuntu 12.04 desktop. I have 3 users: user1(administrator), user2(standard) and guest. I wanted to disable user1 and enable user2 which auto logs on with no password but after I did that I can’t login to user1 and user2 accounts except the guest session user. I’m striped off every administrative privileges. I don’t know which options are available to me and how do I enable root or user which is an administrator?

5 Answers 5

Expire Account

Let the account expire to disallowing a user from logging in from any source including ssh:

# disallow peter from logging in sudo usermod --expiredate 1 peter 

This is how you can reenable that account:

# set expiration date of peter to Never sudo usermod --expiredate "" peter 

Lock a Password

To disable / lock the password of user account use below command. This will not disallow ssh-access on Ubuntu. This prepends a ! to the password hash so that no password will match it anymore.

# take away peters password sudo passwd -l peter 

# give peter back his password sudo passwd -u peter 

Expire a Password

This command seems to differ across platforms. On Ubuntu, expiring a password will command the user to make up a new one once he logs in. This is not suitable for disabling an account.

# make peter think of a new password on login sudo passwd -e YYYY-MM-DD peter 

You should merge locking a password and expiring an account into one command as explained in @vorburger’s answer (usermod -L -e 1 [username]) and (usermode -U -e «» [username])

Use this to lock an account:

sudo usermod -L -e 1 [username] 

and this to unlock an account so locked:

sudo usermod -U -e "" [username] 

(Disabling and locking a user account both mean the same thing.)

To disable / lock the user account use below command:

sudo passwd -l [user_name] e.g. sudo passwd -l samual 

To put an expire date to an user account so that it automatically gets disabled / locked.

sudo passwd -e YYYY-MM-DD [user_name] e.g. sudo passwd -e 2013-05-31 samual 

To re-enable a disabled user, issue the passwd command with the -u option.

sudo passwd -u [username] e.g. sudo passwd -u training 

To enable the root account and change the root password use below steps.

Enter the new password for root account and then exit. if this does not solve the issue let me know.

Please feel free to let me know if you need anything else or any further clarification.

Источник

Disable all user accounts?

I’m not sure all accounts are disabled on my computer, including samba-guest, and I need to disable all accounts except the one I’m using. How can I disable them all?

So, you want to prevent all users from logging in (local and remote) except for yourself? Service(s): just Samba? Do you have other services like SSH enabled?

Thanks for your replay, I disabled SSH and yes i need to prevent all users local and remote except my self

5 Answers 5

You should be able to set accounts to use /bin/false to prevent login.

So, for user «baduser», use sudo usermod -s /bin/false baduser .

You can also edit the password file directly, using a command like vipw . The resulting line should look something like this:

jgb:x:1003:1003. /home/jgb:/bin/false 

To be even more secure, you can set allowed users in ssh via /etc/ssh/sshd_config . You would add a line like this:

AllowUsers user1 user2 user3 

@olli — In this case there’s no reason for root in the example, so I’ve changed it. Thanks for pointing that out.

«nologin — prevent non-root users from logging into the system». This will not work for regular users.

Click on the link to see the man: i think you should do both: 1) create /etc/nologin 2) modify SSH just like jgbelacqua said.

should it be permanent oder only for a small time period?

you can disable an account by adding an asterisk in front of the passwords in /etc/password and /etc/shadow or simply backup and delete (same for /etc/samba/smbpasswd depending on your samba config, otherwise you could try to only map your username to the samba an leave the others

You could try editing the PAM configuration files.

e.g. add this to the top of your /etc/pam.d/common-auth :

auth [default=1 success=ignore] pam_succeed_if.so quiet uid ne 0 auth pam_succeed_if.so quiet user != youruser 

I haven’t tested this, so please check it and test it first.

But it’s probably easier to just make sure only you (and probably root ) belong to the wheel group, then add this to /etc/pam.d/common-auth :

auth required pam_wheel.so 

Источник