Linux Locking An Account

How do I lock an account (user login id) under Linux operating system? How can I disable a user’s login without disabling the account on a Linux based server?

You can use the passwd command to change user or group accounts password. A normal user may only change the password for his/her own account, the super user (root) may change the password for any account. You can use the passwd command for locking or unlocking an account on a Linux operating systesm.[donotprint][/donotprint]

Task: Linux locking an account

The syntax is as follows for locking down the account. It is performed by rendering the encrypted password into an invalid string by prefixing the encrypted string with an !. The -l option is available to root user only:

passwd -l {username}

The -l option disables an account by changing the password to a value which matches no possible encrypted value. In this example, lock user account named vivek. First, login as a root user and type the following command:

# passwd -l vivek

Sample outputs:

Locking password for user vivek.
passwd: Success

Task: Linux Unlocking an Account

The syntax is as follows and the -u option is available to root user only:

passwd -u {username}

The -u option re-enables an account by changing the password back to its previous value i.e. to value before using -l option. To unlock user account named vivek. Login as a root user and type following command:

# passwd -u vivek

Sample outputs:

Unlocking password for user vivek.
passwd: Success

Task: Root can access any account

The syntax is:

su - {username}
su - vivek

Sample session: Disable a user’s login without disabling the account

Fig.01: How to Linux disable a user’s login without disabling account
See also:

A note about the ssh public key based authentication

User account locked with the -l option can still log in by other methods such as the ssh public key authentication. Use the following command to for full account locking:

chage -E 0 {username}
## full lockdown for user named vivek ##
chage -E 0 vivek

Sample outputs:

Fig.02: Linux chage command set and unset expire date for given user account

How can I remove an account expiration date?

The syntax is:

chage -E -1 vivek
chage -l vivek
## optional: assign a new password for vivek ##
# passwd vivek

Sample outputs:

Last password change					: Feb 15, 2015
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

User can now login using ssh public key or password:

ssh vivek@nas01
ssh -Y vivek@nas01

Sample outputs:

Linux nas01 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sun Feb 15 18:13:45 2015 from 192.168.1.4
[email protected]:~$

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.