Learn different ways to restrict users from accessing the system apart from locking him out. One of the essential tips for user management for user access.
Whenever there is a requirement of disabling user access on the Linux system first thing that came to mind is locking the user out of the system. But there are many different ways out to achieve the same motto i.e. refraining users from accessing the account.
We have already seen how to lock/unlock user account in Linux. See below list which shows other ways of disabling access :
- Using
usemod
command - Editing password hash
/etc/passwd
file - Editing login shell in
/etc/passwd
file - By expiring account lifetime
- By emptying user password
1. Using usermod command
usermod
command is used to modify user characteristics. This command has -L
option to lock the account and -U
option to unlock the account.
Read more about usermod command here.
Using this we can disable user access to the system. This command adds ! in front of the encrypted password in /etc/passwd
file. This in turn makes kernel believe the user is locked and should not be permitted to access the system.
# cat /etc/shadow |grep usr2
usr2:$6$nEjQiroT$Fjda8KiOIbnELAffHmluJFRC8jjIRWuxEWBePK1gun/ELZRi3glZdKVtPaaZ4tcQLIK2KPZTxdpB3tJvDj3/J1:17128:1:90:7:::
# usermod -L usr2
# cat /etc/shadow |grep usr2
usr2:!$6$nEjQiroT$Fjda8KiOIbnELAffHmluJFRC8jjIRWuxEWBePK1gun/ELZRi3glZdKVtPaaZ4tcQLIK2KPZTxdpB3tJvDj3/J1:17128:1:90:7:::
2. Editing password hash in /etc/passwd
This is the same as above. The only thing is we will edit /etc/passwd
file using vi
, vipw
or any text editor manually and put up ! mark in front of the encrypted password! It is always recommended to use vipw
command to edit /etc/passwd to maintain the integrity of file unless you know what you are doing.
3. Editing login shell in /etc/passwd file
As you know the last field in /etc/passwd
file is a shell. By editing this parameter to /sbin/nologin
or /bin/false
shell one can restrict access of the user.
Read more about /etc/passwd file here.
When /sbin/nologin
is defined for the user, at the time of login that user will be presented with “Account not available” message is defined in /etc/nologin.txt
and exit. If /bin/false
is defined then the user will be exited out at the time of login without any message. This parameter can be set manually by editing /etc/passwd
using vipw
, vi
or this can be set using usermod -s
command.
# usermod -s /sbin/nologin user4
# cat /etc/passwd |grep user4
user4:x:552:200:Test user:/home/user4:/sbin/nologin
---------- Putty login output below -------
login as: slavhate
user4@10.10.2.3's password:
Last login: Thu Dec 1 20:30:06 2016 from 10.100.2.45
Account not available
4. By expiring account lifetime
On the Linux system, every account comes with a lifetime defined hence account expiry is tagged to each account. Setting this expiry date to past date, one can pose an account’s lifetime as expired to the kernel. Hence kernel won’t permit the user to log on. The account expiry date can be set using chage -E
option. The date format should be in yyyy-mm-dd.
# date
Thu Dec 1 20:38:36 EDT 2016
# chage -E 2016-11-30 user5
# chage -l user5
Last password change : Dec 01, 2016
Password expires : Mar 01, 2017
Password inactive : never
Account expires : Nov 30, 2016
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
In the above example, we set the expiry date as yesterday i.e. account is already expired for today. And hence it won’t be able to log in. See account expires showing as 30 Nov where the current system date is 1 Dec.
5. By emptying user password
This another tricky way to refrain users from accessing the system. But in this method, you will be using the user’s set password. So when you enable the user back on the system, user won’t be able to use its old password. A new password needs to be set up for his account.
In this method, you have to empty the user password. Since the password is empty, at login prompt user won’t be able to get in. You can empty the password using -d
option.
# passwd -d slavhate
Removing password for user slavhate.
passwd: Success
# passwd -S slavhate
slavhate NP 2016-12-07 1 90 7 -1 (Empty password.)
You can verify if password is removed using passwd -S
command.