Disable user shell for security reasons

We have several user accounts that we create for automated tasks that require fine-grained permissions, such as file transfer across systems, monitoring, etc.

How do we lock down these user accounts so that these “users” have no shell and are not able to login? We want to prevent the possibility that someone can SSH in as one of these user accounts.

Asked By: Suman

||

You edit the /etc/passwd file and change the users shell from /bin/bash, or /bin/sh to /sbin/nologin

Answered By: Mark Cohen

You can use the usermod command to change a user’s login shell.

usermod -s /sbin/nologin myuser

or

usermod -s /usr/sbin/nologin myuser

If your OS does not provide /sbin/nologin, you can set the shell to a NOOP command such as /bin/false:

usermod -s /bin/false myuser
Answered By: jordanm

First, disable the password, using passwd -l username.

Also note in the man page for passwd for option -l:

   -l, --lock
       Lock the password of the named account. This option disables a password by changing it to a value which matches no
       possible encrypted value (it adds a ´!´ at the beginning of the password).

       Note that this does not disable the account. The user may still be able to login using another authentication token
       (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's
       expire date to Jan 2, 1970).

       Users with a locked password are not allowed to change their password.
Answered By: mdpc

You can use chsh command:

~# chsh myuser

Enter new shell details when requested:

Login Shell [/bin/sh]: /bin/nologin

Or shorter version:

~# chsh myuser -s /bin/nologin
Answered By: Let'sTalk

Changing the login shell does not necessarily prevent users from authenticating (except in some services that check if the user’s shell is mentioned in /etc/shells).

People may still be able to authenticate to the various services that your system provides to unix users, and may still be authorized to perform some actions albeit probably not run arbitrary commands directly.

Changing the shell to /bin/false or /usr/sbin/nologin will only prevent them from running commands on those services that can be used to run commands (console login, ssh, telnet, rlogin, rexec…), so affect authorisation for some services only.

For ssh for instance, that still allows them to do port forwarding.

passwd -l will disable password authentication, but the user may still be allowed to use other authentication methods (like authorized_keys with ssh).

With pam on Linux at least, you can use the pam_shells module to restrict authentication or authorisation to users with an allowed shell (those mentioned in /etc/shells). For ssh, you’ll want to do it at authorisation (account) level as for authentication sshd uses pam in addition to other authentication methods (like authorized_keys), or you can do it with sshd_config directives in /etc/ssh/sshd_config (like AllowUsers and friends).

Beware though that adding some restrictions in global pam authorisation will potentially prevent running cron jobs as those users.

Answered By: Stéphane Chazelas

To prevent user from logging and even authentication over ssh that enables port forwarding (as is described here Stephane), I modify the user to be similar to system’s nobody user:

  • blocked password authentication in /etc/shadow (with * or !! at proper field)
  • disabled shell in /etc/passwd (e.g. /sbin/nologin at proper field)
  • read-only home dir in /etc/passwd (e.g. / at proper field)
Answered By: keypress
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.