Locking and Disabling User Accounts in Linux (2024)

1. Locking the user account

To lock a user account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/shadow.It has to be executed by either boby/privilaged user.

It will deny any access which would be done directly using su or with ssh.

# usermod -L boby

or

# passwd -l boby

Verify if the user account is locked.

Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd –status boby

boby *LK* 2020-05-01 0 45 7 -1 (Password set, SHA512 crypt.)

Try to Login

But with SSH key still connecting

2. Expiring the user account

The problem with above menthod is that if ssh password less key setup is done, then the user can still login via ssh using the keys.

# chage -E0 boby

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

Verify if the account has been expired.

# chage -l boby

Last password change : Apr 17, 2020

Password expires : never

Password inactive : never

Account expires : Jan 21, 1990

Minimum number of days between password change : 0

Maximum number of days between password change : 999999

Number of days of warning before password expires : 7

Try Login

So normally I prefer to lock and expire the user account both for better security.

3. Changing the shell to no login

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin boby

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify for no login shell

# grep ^boby /etc/passwd

boby:x:1001:1001:boby:/boby:/sbin/nologin