Disable a user's login without disabling the account

Let’s say I create a user named “bogus” using the adduser command. How can I make sure this user will NOT be a viable login option, without disabling the account. In short, I want the account to be accessible via su - bogus, but I do not want it to be accessible via a regular login prompt.

Searching around, it seems I need to disable that user’s password, but doing passwd -d bogus didn’t help. In fact, it made things worse, because I could now login to bogus without even typing a password.

Is there a way to disable regular logins for a given a account?

Note: Just to be clear, I know how to remove a user from the menu options of graphical login screens such as gdm, but these methods simply hide the account without actually disabling login. I’m looking for a way to disable regular login completely, text-mode included.

Asked By: Malabarba

||

Set /bin/false as a shell in /etc/passwd

Answered By: danadam
passwd -l user

is what you want.

That will lock the user account. But you’ll still be able to

su - user

but you’ll have to su - user as root.

Alternatively, you can accomplish the same thing by prepending a ! to the user’s password in /etc/shadow (this is all passwd -l does behind the scenes). And passwd -u will undo this.

Answered By: Chad Feller

There are two methods to prevent a user from being able to login:

  1. you can lock the user by editing /etc/passwd
  2. by directly issuing the passwd command with the -l switch

In the second case the user can login using another authentication token (e.g. an SSH key).

Method #1

  1. Find where is nologin: /bin/nologin or /bin/sbin/nologin
  2. Open a terminal and login as root
  3. Type vi /etc/passwd

Now you are in passwd file press Ins to edit the file.

Change the below line with the nologin option (/bin/bash means the user is able to login).

root:x:0:0:root:/root:/bin/bash

to this. nologin means the user is unable to login.

root:x:0:0:root:/root:/bin/nologin

(or with /bin/sbin/nologin)

  1. Close the vi Esc :wq

Method #2

To lock user: passwd -l username

To unlock user: passwd -u username

Answered By: Mansur Ul Hasan

The man page of passwd(1) says about passwd -l:

Note that this does not disable the account. The user may still
be able to login using another authentication token (e.g. an SSH
key). To disable the account, administrators should use usermod
–expiredate 1 (this set the account’s expire date to Jan 2,
1970).

So

usermod --expiredate 1 [LOGIN]

seems to me like the right way to disable an account a user should not be able to use anymore (e.g. because he left the company).

Answered By: JoeGo

Its quite easy task you simply have to make some changes in /etc/passwd file.

Simply you have to change the shell which is generally by default /bin/bash I.e you can login using this shell change it to /bin/nologin or /bin/false. It is advisable to change it to /bin/nologin because /bin/false is outdated.

Answered By: PRABHAT PARASHAR

When we lock the user using the passwd -l user command, “!!” are indicated in the /etc/shadow file. But we can still able to switch to a user shell from the root account, but not able to switch to user account by other normal users login shell.

We can also disable account by providing /bin/nologin or /bin/false in to /etc/passwd file. So user may not able to login in.

Answered By: Sushil Musande

You can use the command

usermod -s /sbin/nologin username

Assuming you want to start with a fresh user account:

sudo adduser --no-create-home --disabled-password --disabled-login <uname>

With usermod --expiredate 1 <uname> I had the problem that this account cannot be used for nothing anymore (e.g. for samba logins). My use-case was that I want to disable all functionality for ssh, ordinary, … logins but still use it as a Samba user.

Answered By: holzkohlengrill
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.