Edukasi

UNIX / Linux : How to lock or disable an user account

There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.

1. Lock the password

To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :

# usermod -L testuser

or

 

# passwd -l testuser

2. Expire the user account

The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :

# chage -E0 testuser

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

3. Changing the shell

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin [username]

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify if the account is locked or disabled.

For each of the methods described above, you can verify if the user account is locked/disabled using below methods.

1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status root
root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)

2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.

# chage -l root
Last password change                                    : Jul 19, 2017
Password expires                                        : Sep 02, 2017
Password inactive                                       : never
Account expires                                         : Sep 02, 2017
Minimum number of days between password change          : 0
Maximum number of days between password change          : 45
Number of days of warning before password expires       : 7

3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.

# grep ^root /etc/passwd
root:x:0:0:root:/root:/sbin/nologin

 

 

ryan

Recent Posts

Komputer Lemot? Gunakan MiniOS Ultra, Distro Linux dengan Fitur yang Cukup Lengkap

Jika merasa frustasi karena komputer atau laptop kamu hanya sanggup menjalankan aplikasi sederhana seperti browser…

1 minggu ago

Games Nostalgia PS1 Tamiya Let’s & Go!! Eternal Wings (Japan)

Bakusou Kyoudai Lets & Go Eternal Wings atau biasa disebut dengan Game Tamiya PS1 merupakan permainan balap mobil Mini…

3 minggu ago

Cara Tambahkan Stiker Add Yours di WhatsApp Status

WhatsApp Status kembali mendapatkan fitur baru. Setelah cukup lama diuji coba, WhatsApp akhirnya merilis fitur 'Add…

3 minggu ago

Mark Zuckerberg Ingin AI Jadi Teman untuk Orang yang Kesepian

Chatbot AI saat ini sudah umum dipakai menjadi asisten digital. Tapi menurut Mark Zuckerberg, AI juga bisa…

3 minggu ago

Polytron Itu Mobil Listrik Nasional atau Bukan?

Polytron jadi merek Indonesia yang terjun dalam industri mobil listrik. Polytron disebut-sebut bakal menjadi mobil…

3 minggu ago

Pesaing China Muncul, Bikin AI Pakai GPU Murah Meriah

Fastino, startup kecerdasan buatan asal Amerika Serikat, memamerkan model AI barunya yang ditujukan untuk bisnis. Menariknya, model AI…

3 minggu ago