RHEL7x – How to lock or disable an user account in Linux

#usermod -L user

This will add an exclamation mark “!” in the second field of the file  /etc/passwd.

or use

#passwd -l testuser

There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.

1. Lock the password

To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :

# usermod -L testuser

or

# passwd -l testuser

2. Expire the user account

The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :

# chage -E0 testuser

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

3. Changing the shell

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin [username]

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify if the account is locked or disabled.

For each of the methods described above, you can verify if the user account is locked/disabled using below methods.

1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status root
root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)

2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.

# chage -l root
Last password change                                    : Jul 19, 2017
Password expires                                        : Sep 02, 2017
Password inactive                                       : never
Account expires                                         : Sep 02, 2017
Minimum number of days between password change          : 0
Maximum number of days between password change          : 45
Number of days of warning before password expires       : 7

3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.

# grep ^root /etc/passwd
root:x:0:0:root:/root:/sbin/nologin

 

Ron Jagannathan has written 54 articles

Ronan is a Caffeine dependent life-form from Planet Earth who wants to be a Jedi Knight of cloud computing. A man of mystery and power, whose power is exceeded only by his mystery. Quantum Physicist, TransHumanist, Systems Architect, Unix Administrator, Artificial Intelligence, Machine Learning and DIY Gadget enthusiast. Believes that the Universe has a high probability of being a simulation.
But he's real and hopefully some of his readers are too.
email: Ron.Jagannathan@gmail.com ph: 202 355 5205
https://www.linkedin.com/in/ronjagan/
My Famous Quotes:
“In a Unix Universe, God is known by a four letter word called root. To err is human...to really foul requires you to be root.. err.. god.” ― Ron Jagannathan

Github: github.com/ronjag
Linkedin: linkedin.com/in/ronjagan/

“Quotes found on the Internet are not always accurate.” ― Abraham Lincoln

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>