Different ways to disable user access in Linux

user_accessLearn different ways to restrict user from accessing system apart from locking him out. One of the essential tip for user management for user access.

 


Whenever there is a requirement of disabling user access on Linux system first thing came to mind is locking user out of system. But there are many different ways out to achieve same motto i.e. refraining user from accessing account.

We have already seen how to lock/unlock use account in linux. See below list which shows other ways of disabling access :

  1. Using usemod command
  2. Editing password hash /etc/passwd file
  3. Editing login shell in /etc/passwd file
  4. By expiring account lifetime
  5. By emptying user password

1. Using usermod command

usermod command is used to modify user characteristics. This command has -L option to lock account and -U option to unlock account.

Read more about usermod command here.

Using this we can disable user access to system. This command adds ! in front of encrypted password in /etc/passwd file. This in turns makes kernel believe user is locked and should not be permitted to access system.


2. Editing password hash in /etc/passwd

This is same as above. Only thing is we will edit /etc/passwd file using vi, vipw or any text editor manually and put up ! mark in front of encrypted password! It is always recommended to use vipw command to edit /etc/passwd to maintain integrity of file unless you know what you are doing.


3. Editing login shell in /etc/passwd file

As you know last field in /etc/passwd file is shell. By editing this parameter to /sbin/nologin or /bin/false shell one can restrict access of user.

Read more about /etc/passwd file here.

When /sbin/nologin is defined for user, at the time of login that user will be presented with “Account not available” message if defined in /etc/nologin.txt and exit. If /bin/false is defined then user will be exited out at the time of login without any message. This parameter can be set manually by editing /etc/passwd using vipw, vi or this can be set using usermod -s command.

 


4. By expiring account lifetime

On Linux system every account comes with an lifetime defined hence account expiry is tagged to each account. Setting this expiry date to past date, one can pose account’s lifetime as expired to kernel. Hence kernel wont permit user to log on. Account expiry date can be set using chage -E option. Date format should be in yyyy-mm-dd.

In above example we set expiry date as yesterday i.e. account is already expired for today. And hence it wont be able to log in. See account expires showing as 30 Nov where current system date is 1 Dec.


5. By emptying user password

This another tricky way to refrain user from accessing system. But in this method you will be using user’s set password. So when you enable user back on system, user wont be able to use its old password. New password needs to be setup for his account.

In this method, you have to empty user password. Since password is empty, at login prompt user wont be able to get in. You can empty password using -d option.

You can verify if password is removed using passwd -S command.


 

Any thoughts?