Linux disable user login

UNIX / Linux : How to lock or disable an user account

There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.

1. Lock the password

To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :

2. Expire the user account

The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

3. Changing the shell

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin [username]

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify if the account is locked or disabled.

For each of the methods described above, you can verify if the user account is locked/disabled using below methods.

1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status root root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)

2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.

# chage -l root Last password change : Jul 19, 2017 Password expires : Sep 02, 2017 Password inactive : never Account expires : Sep 02, 2017 Minimum number of days between password change : 0 Maximum number of days between password change : 45 Number of days of warning before password expires : 7

3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.

# grep ^root /etc/passwd root:x:0:0:root:/root:/sbin/nologin

Источник

How to Block or Disable Normal User Logins in Linux

As a system administrator, you will inevitably perform scheduled system maintenances at some point or another. A few times, your system may also encounter some problem(s) and you will be forced to put it down to fix the problem(s). What ever the situations is, it is a good idea to prevent non-root(normal) users from connecting to the system.

In this article, we will describe how to block non-root users logins using /etc/nologin file as well as a nologin shell in Linux. We will look at how to set a message that explains to users what is actually happening.

How to Block User Logins Using /etc/nologin File

The primary function of /etc/nologin file is to display a message (stored in the file) to users attempting to log on to a system during the process of shutdown.

Once the message has been displayed to the user, the login procedure terminates, preventing the user from logging onto the system.

This can be used to block user login by manually creating the file as follows.

Add the message below to the file, which will be shown to users attempting to log on to the system.

Now you can test if it all works; as you can see from the screen shot below, a normal user tecmint is not able to login.

How to Block User Logins Using nologin Shell

This method works a little differently: it only blocks a user from accessing a shell. But he or she can log on to the system via programs such as ftp that do not necessarily require a shell for the user to connect to a system.

Additionally, it can allow you to block shell access to specific users in special scenarios.

On RHEL/CentOS/Fedora

Simply use chsh (change shell) command to change the users shell in /etc/passwd file from something like /bin/bash or /bin/sh to /sbin/nologin meaning refuse a login.

# chsh -s /bin/nologin tecmint

On Debian/Ubuntu

Here, you have to use /bin/false file. The command below changes the user tecmint’s shell to /bin/false meaning do nothing (after user provides login credentials):

$ sudo chsh -s /bin/false tecmint

You may also like to read these following related articles.

That’s all for now! If you have any questions or additional ideas to share concerning this topic, make use of the comment form below.

Источник

How to enable or disable a user?

I’m uing ubuntu 12.04 desktop. I have 3 users: user1(administrator), user2(standard) and guest. I wanted to disable user1 and enable user2 which auto logs on with no password but after I did that I can’t login to user1 and user2 accounts except the guest session user. I’m striped off every administrative privileges. I don’t know which options are available to me and how do I enable root or user which is an administrator?

5 Answers 5

Expire Account

Let the account expire to disallowing a user from logging in from any source including ssh:

# disallow peter from logging in sudo usermod --expiredate 1 peter 

This is how you can reenable that account:

# set expiration date of peter to Never sudo usermod --expiredate "" peter 

Lock a Password

To disable / lock the password of user account use below command. This will not disallow ssh-access on Ubuntu. This prepends a ! to the password hash so that no password will match it anymore.

# take away peters password sudo passwd -l peter 

# give peter back his password sudo passwd -u peter 

Expire a Password

This command seems to differ across platforms. On Ubuntu, expiring a password will command the user to make up a new one once he logs in. This is not suitable for disabling an account.

# make peter think of a new password on login sudo passwd -e YYYY-MM-DD peter 

You should merge locking a password and expiring an account into one command as explained in @vorburger’s answer (usermod -L -e 1 [username]) and (usermode -U -e «» [username])

Use this to lock an account:

sudo usermod -L -e 1 [username] 

and this to unlock an account so locked:

sudo usermod -U -e "" [username] 

(Disabling and locking a user account both mean the same thing.)

To disable / lock the user account use below command:

sudo passwd -l [user_name] e.g. sudo passwd -l samual 

To put an expire date to an user account so that it automatically gets disabled / locked.

sudo passwd -e YYYY-MM-DD [user_name] e.g. sudo passwd -e 2013-05-31 samual 

To re-enable a disabled user, issue the passwd command with the -u option.

sudo passwd -u [username] e.g. sudo passwd -u training 

To enable the root account and change the root password use below steps.

Enter the new password for root account and then exit. if this does not solve the issue let me know.

Please feel free to let me know if you need anything else or any further clarification.

Источник

How to Disable a User in Linux

Disabling a user account in Linux means the user can no longer login to the system. However, the account will still persist on the system, which makes it different than deleting a user account entirely.

You may need to disable a user account temporarily, or disable the login capability for a system account. In this guide, you’ll learn a few different methods of disabling a user account on Linux. You’ll also see how to re-enable the account.

Disable User Account by Editing /etc/shadow

The usermod command can be used to disable, or “lock,” a user account on Linux. Supply the -L (Lock) option in your command’s syntax, as seen below.

In reality, executing the usermod -L command is just adding an exclamation point the beginning of the user’s encryted password, stored inside the /etc/shadow file. You can observe this change by viewing the /etc/shadow file after disabling a user account.

# cat /etc/shadow | grep testuser testuser:!$6$Cf8K/f1kM4EIX2ut$T2u [. ]

If you need to re-enable the user in the future, use the -U (Unlock) option in your usermod command.

Doing so will remove the exclamation point from the /etc/shadow file, and the user can now login with the same password they had before. When checking /etc/shadow again, you’ll see the exclamation mark has disappeared.

# cat /etc/shadow | grep testuser testuser:$6$Cf8K/f1kM4EIX2ut$T2u [. ]

Disable User Account With nologin or false Shells

Another way to disable a user account is to change their default login shell. Most Linux systems will have either the /sbin/nologin or /usr/sbin/nologin shells available.

Use the usermod command and -s option to change a user’s shell to /sbin/nologin .

# usermod testuser -s /sbin/nologin

After executing the command, you can view the /etc/passwd file to see that the account’s login shell has been changed.

# cat /etc/passwd | grep testuser testuser:x:1001:1003::/home/testuser:/sbin/nologin 

In the future, if someone tries to login with the user account, they’ll be directed to the /sbin/nologin shell and receive the following message:

# su testuser This account is currently not available.

You can also change a user’s shell to the /bin/false file, which will exit as soon as the user logs in, and return exit status 0 (false). They won’t receive any kind of message like they would with /sbin/nologin . To set a user’s shell to /bin/false , use the following command.

# usermod testuser -s /bin/false

Regardless of which shell you use, either nologin or false , the end result is that the user will no longer be able to login.

To re-enable the user at a later time, change their shell back to the system’s default, which is likely Bash.

# usermod testuser -s /bin/bash

Take a look at the /etc/shells file to see a complete list of valid login shells for your system.

Источник

How To Disable or Lock Linux User Account?

How can I disable some Linux account? By disabling it I do not want to remove the account and related files. Just user related operations will be prevented. If an user authentication occurs it will be not authenticated. We will use usermod command to lock user account.

Disable/Lock User Account with usermod Command

We will disable account with the following code.

• usermod will change user account related attributes and information.
• -L will lock given account and put ! in the user passwords database before encrypted password.
• -e 1 will set expire date from 1/1/1970

Disable/Lock User Account with chage Command

chage command is use to set user account expiration time for password. If we set previous than the current date the given account will be locked automatically. We provide the date in YYYY-MM-DD format. In this example we will lock user ismail .

$ sudo chage -E 2010-01-01 ismail

Disable/Lock User Account with passwd Command

We can also use passwd command in order to lock given user account. We will provide -l option which means lock. In this example we will lock user ismail

Disable/Lock User Account From /etc/shadow

/etc/shadow file stores the user password in encrypted format. If ! is added before hash value of the user password the user account will be disabled or locked. As an example we can lock user test with the following line. Attention to the ! at the begging of the password hash value.

test:$6$!0G2HVsS0JZ3wqfK6$ClYJYYWaLhI5

Disable/Lock User Account From /etc/passwd

/etc/passwd file also store information about the user. An user account can be also locked from this file in two different ways.

Disable User Login with nologin

We can disable an user account login from the /etc/passwd file at the end of line like /bin/bash which specifies the user shell. We will change to the /bin/nologin which is not a login shell.

Adding ! After Username

Another way is adding ! after username and before x like below.

Unlock/Enable User

After some time we may need to enable or unlock given user account there are different ways to unlock an user account. Here some of them with chage and passwd command.

Check User Lock Configuration

We will check the status of this account from configuration file. Is the account disabled?

We can also check the user configuration whether it is locked or not with the chage command like below.

How To Disable or Lock Linux User Account? Infografic

Источник