• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

UNIX / Linux : How to lock or disable an user account

By admin

There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.

1. Lock the password

To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :

# usermod -L testuser

or

# passwd -l testuser

2. Expire the user account

The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :

# chage -E0 testuser

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

3. Changing the shell

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin [username]

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify if the account is locked or disabled.

For each of the methods described above, you can verify if the user account is locked/disabled using below methods.

1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status root
root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)

2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.

# chage -l root
Last password change                                    : Jul 19, 2017
Password expires                                        : Sep 02, 2017
Password inactive                                       : never
Account expires                                         : Sep 02, 2017
Minimum number of days between password change          : 0
Maximum number of days between password change          : 45
Number of days of warning before password expires       : 7

3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.

# grep ^root /etc/passwd
root:x:0:0:root:/root:/sbin/nologin

Filed Under: Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL 7 : How to Enable the Old ethX Style Network Interfaces Names
  2. Managing MySQL Using Systemd As A Non Root User
  3. CentOS / RHEL 6 : How to add/remove additional IP addresses to a network interface
  4. Extend the size of /boot partition on virtualized environment (CentOS/RHEL 6)
  5. How To Add Standard Linux Users To Manage Print Jobs And Services in CentOS/RHEL
  6. Understanding The /proc File System
  7. ip Command Examples to Manage Networking in Linux
  8. Understanding linux fdisk utility
  9. How to rename a KVM VM with virsh
  10. How to Check whether SELinux is Enabled or Disabled

You May Also Like

Primary Sidebar

Recent Posts

  • Failed to start LSB: Bring up/down networking – On restarting network service CentOS/RHEL (DHCP client)
  • How To Add Timestamps To dmesg Kernel Boot Log in CentOS/RHEL
  • How to disable ICMP redirects on CentOS/RHEL
  • What are Oracle Key Vault Roles
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary