- How do I completely disable an account?
- 6 Answers 6
- How to deactivate or disable a user account in Ubuntu 20.04 LTS
- Prerequisites
- Disabling a user in Ubuntu
- Method 1: Lock the password
- Method 2: Expire the user account
- Method 3: Change the Shell
- Confirming whether the account has been disabled or inactive
- 1. Verify the user’s status (Locked/Unlocked)
- 2. Look for the non-interactive Shell
- Conclusion
- Search
- About This Site
- Latest Tutorials
- How to enable or disable a user?
- 5 Answers 5
- Expire Account
- Lock a Password
- Expire a Password
How do I completely disable an account?
How do I completely disable an account? passwd -l will not allow anyone to log into an account using a password but you can still log in via private/public keys. How would I disable the account completely? As a quickfix I renamed the file to authorized_keys_lockme . Is there another way?
Are you planning on re-enabling it eventually? System lockdowns? If not, I’d simply remove the account.
6 Answers 6
The correct way according to usermod(8) is:
usermod --lock --expiredate 1970-01-02
(Actually, the argument to —expiredate can be any date before the current date in the format YYYY-MM-DD .)
- —lock locks the user’s password. However, login by other methods (e.g. public key) is still possible.
- —expiredate YYYY-MM-DD disables the account at the specified date. According to man shadow 5 1970-01-01 is an ambiguous value and shall not be used.
I’ve tested this on my machine. Neither login with password nor public key is possible after executing this command.
To re-enable the account at a later date you can run:
usermod --unlock --expiredate ''
Don’t use 1970-01-01 as it will set /etc/shadow expiration field to 0. shadow(5) The value 0 should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970. Please use: usermod —lock —expiredate 1970-02-02
It would be great if you could also provide the method to reverse this operation. Looks like usermod —unlock —expiredate » username will do it.
Adding to what @MarcusMaxwell wrote: The man page for usermod says: Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.
Lock the password and change the shell to /bin/nologin .
sudo usermod --lock --shell /bin/nologin username
(Or more concisely, sudo usermod -L -s /bin/nologin username .)
@mattdm This is not a complete solution, as a user can still specify a command to be executed. For example ssh username@hostname /bin/bash will give the user a bash prompt, regardless of the default shell.
@phunehehe — have you tried it? You’ll get, in the log, «User [username] not allowed because shell /bin/nologin does not exist».
As far as I know, the invalid-shell behavior isn’t actually documented. On the other hand, the man page says that if the password is has a leading !! on Linux the account will be treated as locked, and that doesn’t actually work. So, y’know, documentation and reality are only approximate matches anyway. 🙂
sudo chsh -s /bin/nologin would be better than editing /etc/passwd by hand. Also, on some systems, it’s /sbin/nologin .
Here is another simple way. You can set the user account expired. This will prevent both password-based and ssh key-based logins for the account, but does not touch the password.
To lock the account:
The user account ‘username’ will be locked out on the system. To re-enable the user account, do the following.
To unlock the account:
The user account ‘username’ will be re-enabled on your system with the same password as before. The ‘chage’ binary is part of the shadow-utils package on Red Hat Linux, or the passwd package on Debian Linux.
I don’t have sufficient rep to comment on Legate’s answer, but I wanted to share that this answer helped us with another use case:
1.) account in question is a local service account running an application, not an end user account.
2.) end users ssh in as themselves, and sudo /bin/su to become user and administer application due to an audit trail requirement that service account cannot have direct login ability.
3.) service account must have a valid shell ( /bin/bash , not /sbin/nologin ), because an Enterprise Scheduling Platform (agent runs as root locally) must be able to su — and does not have the su -s /bin/bash ability that a full shell does, and is needed to run jobs remotely for larger batch operations that encompass multiple servers and databases.
passwd -l
Doesn’t satisfy constraints because public key authentication bypasses PAM and still allows direct login.
usermod -s /sbin/nologin
Doesn’t satisfy constraints becausebreaks the enterprise scheduler
usermod —lock —expiredate 1970-01-01
This is our winner. Remote login disabled, yet root can still su , as can other users via sudo so the scheduler functions properly and authorized end users can become the target service account as needed.
Thank you for the solution!
How to deactivate or disable a user account in Ubuntu 20.04 LTS
If you want to disable any user to prevent that the user logs into his/her account on Ubuntu or lock the user’s account so he/she won’t be able to log in and access the privileged rights, you can do it in three ways through command line input (CLI). This article will explain and demonstrate these 3 ways through which you can perform the specified task.
Prerequisites
Disabling a user in Ubuntu
Follow the below explained ways to inactivate a user in ubuntu 20.04 LTS.
Method 1: Lock the password
For locking the user’s account password, there are 2 commands for doing it. The commands are:
These two commands will put an exclamation mark “!” in the second field of the /etc/passwd file. This addition of an exclamation mark will be sufficient to lock the user account’s password.
Using the “usermod -L” command
Run the following command in terminal to lock the password:
For this particular article, the user whose account I want to lock is “muneeb” so the username in the above command will be “muneeb”.
Entering the above command will ask for the root account password first to proceed. Type the password and hit enter to proceed.
Using the “passwd -l” command
Run the following command to lock the password in the terminal.
For using this command, the particular user ( according to my system) is “Zahid” whose account I want to disable to login into his account. So, the username in the above command will be “Zahid”. This command
After running the above command, the terminal will ask for the root’s password first. Enter the root’s password to proceed further.
Method 2: Expire the user account
The lock password way has some cons as well. It sometimes doesn’t completely forbid the specified user’s login into the system by SSH ( Secure Shell) public keys. The other way through which a user’s account can be permanently disabled or inactivated is expiring the specified user’s account. To do so, run the following command in the terminal:
The username will be “Zahid” in the above command for this particular article.
Expiring Zahid’s account will close up all the access methods to be used by him. This command involves using the 8th field from the /etc/passwd file.
Method 3: Change the Shell
The third way can be changing the shell. The changed shell will be /sbin/nologin from the default shell. It will then not let any user login into the system. It involves using the 7th and the last field of the /etc/passwd file. You can do this by running the following command:
$ sudo usermod -s /sbin/nologin username
For this particular article, the username in the above command will be “Zahid”.
Running the above command will first ask for the root’s password to proceed. Type the password and hit enter.
Confirming whether the account has been disabled or inactive
1. Verify the user’s status (Locked/Unlocked)
After getting done with the above ways of locking the account, verify whether the user has been locked or disabled by running the following command:
$ sudo passwd --status username
As mentioned above, the username in the above command will be “Zahid” for this particular article, whose account I have locked. Running the above command will give you the following status update. Look for the “L” flag in the output that shows whether the account has been locked or not.
2. Look for the non-interactive Shell
Check and verify that the locked user’s shell has been changed to a non-responding or interactive shell that is /sbin/nologin by running the following command.
$ sudo grep ^username /etc/passwd
For this particular article, the username will be “Zahid” in the above command. Running the above will give you the following output.
Conclusion
In this article, you will get to know about different ways of locking or disabling any user’s account. Being a Linux system administrator, you frequently need to manage multiple user accounts at a time easily by enabling or disabling some user accounts according to required specifications. Though each way has its own pros and cons, you can use any of the demonstrated ways as per your system efficiency.
Search
About This Site
Vitux.com aims to become a Linux compendium with lots of unique and up to date tutorials.
Latest Tutorials
How to enable or disable a user?
I’m uing ubuntu 12.04 desktop. I have 3 users: user1(administrator), user2(standard) and guest. I wanted to disable user1 and enable user2 which auto logs on with no password but after I did that I can’t login to user1 and user2 accounts except the guest session user. I’m striped off every administrative privileges. I don’t know which options are available to me and how do I enable root or user which is an administrator?
5 Answers 5
Expire Account
Let the account expire to disallowing a user from logging in from any source including ssh:
# disallow peter from logging in sudo usermod --expiredate 1 peter
This is how you can reenable that account:
# set expiration date of peter to Never sudo usermod --expiredate "" peter
Lock a Password
To disable / lock the password of user account use below command. This will not disallow ssh-access on Ubuntu. This prepends a ! to the password hash so that no password will match it anymore.
# take away peters password sudo passwd -l peter
# give peter back his password sudo passwd -u peter
Expire a Password
This command seems to differ across platforms. On Ubuntu, expiring a password will command the user to make up a new one once he logs in. This is not suitable for disabling an account.
# make peter think of a new password on login sudo passwd -e YYYY-MM-DD peter
You should merge locking a password and expiring an account into one command as explained in @vorburger’s answer (usermod -L -e 1 [username]) and (usermode -U -e «» [username])
Use this to lock an account:
sudo usermod -L -e 1 [username]
and this to unlock an account so locked:
sudo usermod -U -e "" [username]
(Disabling and locking a user account both mean the same thing.)
To disable / lock the user account use below command:
sudo passwd -l [user_name] e.g. sudo passwd -l samual
To put an expire date to an user account so that it automatically gets disabled / locked.
sudo passwd -e YYYY-MM-DD [user_name] e.g. sudo passwd -e 2013-05-31 samual
To re-enable a disabled user, issue the passwd command with the -u option.
sudo passwd -u [username] e.g. sudo passwd -u training
To enable the root account and change the root password use below steps.
Enter the new password for root account and then exit. if this does not solve the issue let me know.
Please feel free to let me know if you need anything else or any further clarification.