There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.
1. Lock the password
To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :
# usermod -L testuser
# passwd -l testuser
2. Expire the user account
The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :
# chage -E0 testuser
Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.
3. Changing the shell
We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.
# usermod -s /sbin/nologin [username]
You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.
Verify if the account is locked or disabled.
For each of the methods described above, you can verify if the user account is locked/disabled using below methods.
1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.
# passwd --status root root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)
2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.
# chage -l root Last password change : Jul 19, 2017 Password expires : Sep 02, 2017 Password inactive : never Account expires : Sep 02, 2017 Minimum number of days between password change : 0 Maximum number of days between password change : 45 Number of days of warning before password expires : 7
3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.
# grep ^root /etc/passwd root:x:0:0:root:/root:/sbin/nologin