Locking and Disabling User Accounts in Linux

1. Locking the user account

To lock a user account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/shadow.It has to be executed by either bob/privilaged user.

It will deny any access which would be done directly using su or with ssh.

# usermod -L bob

or

 

# passwd -l bob

Verify if the user account is locked.

Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status bob

bob *LK* 2020-05-01 0 45 7 -1 (Password set, SHA512 crypt.)

Try to Login

[himanshu@lcfs ~]$ su - bob

Password: 

su: Authentication failure

But with SSH key still connecting

[himanshu@lcfs ~]$ ssh bob@lcfs.lab

Welcome to Himanshu's Server Remote Login!

Last failed login: Fri May 15 17:52:08 IST 2020 on pts/1

There was 1 failed login attempt since the last successful login.

Last login: Fri May 15 17:51:07 2020 from lcfs.lab

2. Expiring the user account

The problem with above menthod is that if ssh password less key setup is done, then the user can still login via ssh using the keys.

# chage -E0 bob

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

Verify if the account has been expired.

# chage -l bob

Last password change                                    : Apr 17, 2020

Password expires                                        : never

Password inactive                                       : never

Account expires                                         : Jan 01, 1970

Minimum number of days between password change          : 0

Maximum number of days between password change          : 999999

Number of days of warning before password expires       : 7

Try Login

[himanshu@lcfs ~]$ ssh bob@lcfs.lab

Welcome to Himanshu's Server Remote Login!

Your account has expired; please contact your system administrator

Authentication failed.

So normally I prefer to lock and expire the user account both for better security.

3. Changing the shell to no login

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin bob

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify for no login shell

# grep ^bob /etc/passwd

bob:x:1001:1001:bob:/bob:/sbin/nologin