Edukasi

UNIX / Linux : How to lock or disable an user account

There are several ways in which user account can be locked or disabled. The posts discusses few of the most widely used ways.

1. Lock the password

To lock a users account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/passwd. For example :

# usermod -L testuser

or

 

# passwd -l testuser

2. Expire the user account

The commands passwd -l and usermod -L are ineffcient when it comes to disable/lock user accounts. These commands will not disallow authentication by SSH public keys (or other PAM modules other than pam_unix that may be enabled). Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory to us since this only affects interactive logins. So to completely disable user accounts you can user the command chage -E0. For example :

# chage -E0 testuser

Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.

3. Changing the shell

We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin [username]

You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify if the account is locked or disabled.

For each of the methods described above, you can verify if the user account is locked/disabled using below methods.

1. Check if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status root
root *LK* 2017-07-19 0 45 7 -1 (Password set, SHA512 crypt.)

2. Check if the account has an expire date.
Check for the lines Password expires and Account expires to check if the account password is expired.

# chage -l root
Last password change                                    : Jul 19, 2017
Password expires                                        : Sep 02, 2017
Password inactive                                       : never
Account expires                                         : Sep 02, 2017
Minimum number of days between password change          : 0
Maximum number of days between password change          : 45
Number of days of warning before password expires       : 7

3. Check for non-interactive shell
Check if the user shell has been changed to a non-interactive shell like /sbin/nologin.

# grep ^root /etc/passwd
root:x:0:0:root:/root:/sbin/nologin

 

 

ryan

Recent Posts

Polytron Itu Mobil Listrik Nasional atau Bukan?

Polytron jadi merek Indonesia yang terjun dalam industri mobil listrik. Polytron disebut-sebut bakal menjadi mobil…

1 jam ago

Pesaing China Muncul, Bikin AI Pakai GPU Murah Meriah

Fastino, startup kecerdasan buatan asal Amerika Serikat, memamerkan model AI barunya yang ditujukan untuk bisnis. Menariknya, model AI…

2 jam ago

Jangan Terima Kasih dan Minta Tolong ke ChatGPT, Bikin Boncos

Sopan terhadap AI seperti ChatGPT mungkin dilakukan beberapa orang karena memang mirip bicara pada manusia. Namun siapa…

2 jam ago

Rockstar Klaim Cuplikan Keren Trailer Kedua GTA 6 dari In-Game PS5

Trailer kedua GTA 6 sudah rilis. Menariknya, kualitas yang disuguhkan sungguh memesona dan memanjakan mata. Namun…

2 jam ago

Mengenal Kode-Kode Busi Mobil dan Cara Membacanya Agar Tidak Salah Beli

Busi adalah komponen penting pada kendaraan yang berfungsi sebagai pemantik bunga api agar mesin dapat…

6 hari ago

Integrasi VMware vCenter SSO dengan Azure AD

Akhirnya hadir! VMware akhirnya memungkinkan Anda memanfaatkan Azure AD sebagai Penyedia Identitas (IdP) utama. Hari…

1 minggu ago