Contents[Hide]
The time will come when at some point a system administrator needs to disable user accounts. The may be for example due to some suspicious user activity or perhaps due user's work contract termination. As far the overall system security is concerned it it always good idea to have only those user logins enabled which are necessary for system or company to function. This tutorial explores some way on how to disable user accounts on the Linux system.

1. Disable Account using /etc/shadow

The simplest way to disable User Login is to add additional recognizable character to user's encrypted password located in /etc/shadow. In the below example we include "X" character thus making user's password impossible to decrypt something meaningful:
lubos:X$6$1ANrXcst$H4yOxEjNSNJAYdwe6q6ygHW3yGC/GhRW0:16243:0:99999:7:::
It needs to be mentioned that this method only works if all users and services are authenticating against /etc/passwd file. You system may have custom configured PAM modules so make sure that nothing gets through.

2. Disable User Logins with usermode command

Most linux distribution include usermod command in order to disable user account. However, using this method is simply just a shortcut to the above procedure since all what usermode does is to place "!" character in front of encrypted user password located in /etc/shadow file. In the following example we are going to disable user account "lubos" using usermod command:
# usermode -L lubos
No output will be produced and result can be seen by examining /etc/password file.
lubos:!$6$1ANrXcst$H4yOxEjNSNJAYdwe6q6ygHW3yGC/GhRW0:16243:0:99999:7:::
To enable user account you can either remove "!" sign from the /etc/password file or use usermod command:
# usermode -U lubos

3. Disable User Logins using pseudo shell

Another and simple way ti disable user login/account is to user following shells:
/bin/false
/bin/true
/sbin/nologin
/usr/sbin/nologin
Use vipw command to edit user default shell. For example:
lubos:x:1000:1000:lubos,,,:/home/lubos:/bin/true
OR
lubos:x:1000:1000:lubos,,,:/home/lubos:/usr/sbin/nologin
The difference between /bin/true and /usr/sbin/nologin is that nologin prints message:
$ /usr/sbin/nologin
This account is currently not available.
Some Linux distributions may not have /usr/sbin/nologin available. Check /etc/shells to see what available for your system.

Free Linux eBooks

Do you have the right skills?

Our IT Skills Watch page reflects an up to date IT skills demand leaning towards the Linux and Unix environment. We have considered a number of skills and operating systems.

See the result...

Linux Online Training

Learn to run Linux servers and prepare for LPI certification with Linux Academy. 104 available video lessons with PDF course notes with your own server!

Go to top