126

Let's say I create a user named "bogus" using the adduser command. How can I make sure this user will NOT be a viable login option, without disabling the account. In short, I want the account to be accessible via su - bogus, but I do not want it to be accessible via a regular login prompt.

Searching around, it seems I need to disable that user's password, but doing passwd -d bogus didn't help. In fact, it made things worse, because I could now login to bogus without even typing a password.

Is there a way to disable regular logins for a given a account?

Note: Just to be clear, I know how to remove a user from the menu options of graphical login screens such as gdm, but these methods simply hide the account without actually disabling login. I'm looking for a way to disable regular login completely, text-mode included.

Gilles 'SO- stop being evil'
  • 829,060
Malabarba
  • 2,059
  • 2
    Your -d is the flag to delete the password. That is different from disabling it (refereed to as locking, see Chad's answer). – Caleb Aug 24 '11 at 20:59
  • 1
    You probably want to completely disable them: https://unix.stackexchange.com/questions/7690/how-do-i-completely-disable-an-account Also see this Ask Ubuntu question: https://askubuntu.com/questions/282806/how-to-enable-or-disable-a-user – Simon Woodside May 29 '17 at 23:04

8 Answers8

137
passwd -l user

is what you want.

That will lock the user account. But you'll still be able to

su - user

but you'll have to su - user as root.

Alternatively, you can accomplish the same thing by prepending a ! to the user's password in /etc/shadow (this is all passwd -l does behind the scenes). And passwd -u will undo this.

slm
  • 369,824
Chad Feller
  • 1,762
  • 39
    By using the passwd -l option you should be aware that the user could login using another authentication token (e.g. an SSH key). – pl1nk Feb 20 '13 at 16:42
  • 2
    Please see my answer below on a recommended solution on how to avoid this. – JoeGo Oct 29 '14 at 15:58
  • 2
    This does not work on ubuntu 16.04. It will change the expire date and not allow su - user anymore. – merlin Feb 07 '17 at 17:09
  • 4
    Is this same as the --disabled-password option given to adduser? Does creating a user without --disabled-password and then running passwd -l on that user achieve the same result as running adduser with --disabled-password in the first place? – haridsv Apr 16 '18 at 09:18
  • 2
    @haridsv on Alpine (likely the same on other distros, untested) if I use --disabled-password and then ran passwd -l user I get the error passwd: password for user is already locked. I assume they're the same yes. – BugHunterUK Jul 26 '21 at 22:35
51

The man page of passwd(1) says about passwd -l:

Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).

So 

usermod --expiredate 1 [LOGIN]

seems to me like the right way to disable an account a user should not be able to use anymore (e.g. because he left the company).

JoeGo
  • 611
  • 5
    On my CentOs 6.3, passwd -l does block ssh connection for a user, and usermod --expiredate 1 doesn't! – fduff Feb 06 '15 at 08:20
  • 1
    On my CentOS 7.4, passwd -l no longer blocks ssh connections for a user, and usermod --expiredate 1 user does block. Per man passwd you can also use chage -E 0 user to block a user. After applying usermod or chage I am able to sudo su user – user12345 Oct 23 '17 at 20:42
  • usermod --expiredate 0 [LOGIN] also works, it sets the expire date to Jan 1 1970 whereas a 1 sets this to Jan 2 1970. – slm Nov 15 '17 at 04:39
  • 2
    "The value 0 should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970." -- shadow(5) – Johannes Kohnen Aug 05 '18 at 07:07
33

There are two methods to prevent a user from being able to login:

  1. you can lock the user by editing /etc/passwd
  2. by directly issuing the passwd command with the -l switch

In the second case the user can login using another authentication token (e.g. an SSH key).

Method #1

  1. Find where is nologin: /bin/nologin or /bin/sbin/nologin
  2. Open a terminal and login as root
  3. Type vi /etc/passwd

Now you are in passwd file press Ins to edit the file.

Change the below line with the nologin option (/bin/bash means the user is able to login). 

root:x:0:0:root:/root:/bin/bash

to this. nologin means the user is unable to login.

root:x:0:0:root:/root:/bin/nologin

(or with /bin/sbin/nologin)

  1. Close the vi Esc :wq

Method #2

To lock user: passwd -l username

To unlock user: passwd -u username

Arpad Horvath
  • 103
  • 3
Mansur Ul Hasan
  • 331
  • 3
    On an Ubuntu 14.04 system, I found /usr/sbin/nologin instead of /bin/nologin. – Dennis Williamson Oct 10 '14 at 23:25
  • 3
    Tip: use which nologin to determine the correct path for your system – musicin3d Oct 09 '20 at 20:49
  • In modern distros you no longer can succeed with su - user if user's shell set to nologin as you will be bounced back with This account is currently not available.. You can still succeed for accounts locked with passwd -l though. – Marcin Orlowski Oct 10 '20 at 17:53
9

Its quite easy task you simply have to make some changes in /etc/passwd file.

Simply you have to change the shell which is generally by default /bin/bash I.e you can login using this shell change it to /bin/nologin or /bin/false. It is advisable to change it to /bin/nologin because /bin/false is outdated.

garethTheRed
  • 33,957
PRABHAT PARASHAR
  • 91
4

Set /bin/false as a shell in /etc/passwd

danadam
  • 463
  • 21
    When one sets the shell to /bin/false, one prevents using su to act as that user. Additionally, using /bin/false produces no error nor other hint of what just went wrong -- in cases where one does want to prevent even su from being used to get a shell as that user, the shell should be changed to /sbin/nologin which does produce an error. – HedgeMage Aug 24 '11 at 16:22
  • 8
    No, the su is still possible for users with /bin/false shells in passwd - just use the option --shell: su - --shell /bin/sh bogus. – Matej Kovac Feb 27 '14 at 09:56
  • 1
    /usr/sbin/nologin has the same effect as /bin/false, but also shows a useful informational message. – Rörd Jan 31 '18 at 15:20
2

Assuming you want to start with a fresh user account:

sudo adduser --no-create-home --disabled-password --disabled-login <uname>

With usermod --expiredate 1 <uname> I had the problem that this account cannot be used for nothing anymore (e.g. for samba logins). My use-case was that I want to disable all functionality for ssh, ordinary, ... logins but still use it as a Samba user.

holzkohlengrill
  • 512
0

When we lock the user using the passwd -l user command, "!!" are indicated in the /etc/shadow file. But we can still able to switch to a user shell from the root account, but not able to switch to user account by other normal users login shell.

We can also disable account by providing /bin/nologin or /bin/false in to /etc/passwd file. So user may not able to login in.

peterh
  • 9,731
Sushil Musande
  • 1
-1

You can use the command 

usermod -s /sbin/nologin username
Present Richard Chigonera
  • 1