Locking and Disabling User Accounts in Linux

1. Locking the user account
To lock a user account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/shadow.It has to be executed by either bob/privilaged user.
It will deny any access which would be done directly using su or with ssh.

# usermod -L bob

# passwd -l bob

Verify if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status bob
bob *LK* 2020-05-01 0 45 7 -1 (Password set, SHA512 crypt.)

Try to Login

[himanshu@lcfs ~]$ su - bob
su: Authentication failure

But with SSH key still connecting

[himanshu@lcfs ~]$ ssh bob@lcfs.lab
Welcome to Himanshu's Server Remote Login!
Last failed login: Fri May 15 17:52:08 IST 2020 on pts/1
There was 1 failed login attempt since the last successful login.
Last login: Fri May 15 17:51:07 2020 from lcfs.lab

2. Expiring the user account

The problem with above menthod is that if ssh password less key setup is done, then the user can still login via ssh using the keys.

# chage -E0 bob
Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

Verify if the account has been expired.

# chage -l bob
Last password change                                    : Apr 17, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Jan 01, 1970
Minimum number of days between password change          : 0
Maximum number of days between password change          : 999999
Number of days of warning before password expires       : 7

Try Login

[himanshu@lcfs ~]$ ssh bob@lcfs.lab
Welcome to Himanshu's Server Remote Login!
Your account has expired; please contact your system administrator
Authentication failed.

So normally I prefer to lock and expire the user account both for better security.

3. Changing the shell to no login
We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin bob
You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify for no login shell

# grep ^bob /etc/passwd