Learn different ways to restrict user from accessing system apart from locking him out. One of the essential tip for user management for user access.
Whenever there is a requirement of disabling user access on Linux system first thing came to mind is locking user out of system. But there are many different ways out to achieve same motto i.e. refraining user from accessing account.
We have already seen how to lock/unlock use account in linux. See below list which shows other ways of disabling access :
- Using usemod command
- Editing password hash /etc/passwd file
- Editing login shell in /etc/passwd file
- By expiring account lifetime
- By emptying user password
1. Using usermod command
usermod command is used to modify user characteristics. This command has -L option to lock account and -U option to unlock account.
Read more about usermod command here.
Using this we can disable user access to system. This command adds ! in front of encrypted password in /etc/passwd file. This in turns makes kernel believe user is locked and should not be permitted to access system.
# cat /etc/shadow |grep usr2 usr2:$6$nEjQiroT$Fjda8KiOIbnELAffHmluJFRC8jjIRWuxEWBePK1gun/ELZRi3glZdKVtPaaZ4tcQLIK2KPZTxdpB3tJvDj3/J1:17128:1:90:7::: # usermod -L usr2 # cat /etc/shadow |grep usr2 usr2:!$6$nEjQiroT$Fjda8KiOIbnELAffHmluJFRC8jjIRWuxEWBePK1gun/ELZRi3glZdKVtPaaZ4tcQLIK2KPZTxdpB3tJvDj3/J1:17128:1:90:7:::
2. Editing password hash in /etc/passwd
This is same as above. Only thing is we will edit /etc/passwd file using vi, vipw or any text editor manually and put up ! mark in front of encrypted password! It is always recommended to use vipw command to edit /etc/passwd to maintain integrity of file unless you know what you are doing.
3. Editing login shell in /etc/passwd file
As you know last field in /etc/passwd file is shell. By editing this parameter to /sbin/nologin or /bin/false shell one can restrict access of user.
Read more about /etc/passwd file here.
When /sbin/nologin is defined for user, at the time of login that user will be presented with “Account not available” message if defined in /etc/nologin.txt and exit. If /bin/false is defined then user will be exited out at the time of login without any message. This parameter can be set manually by editing /etc/passwd using vipw, vi or this can be set using usermod -s command.
# usermod -s /sbin/nologin user4 # cat /etc/passwd |grep user4 user4:x:552:200:Test user:/home/user4:/sbin/nologin ---------- Putty login output below ------- login as: slavhate email@example.com's password: Last login: Thu Dec 1 20:30:06 2016 from 10.100.2.45 Account not available
4. By expiring account lifetime
On Linux system every account comes with an lifetime defined hence account expiry is tagged to each account. Setting this expiry date to past date, one can pose account’s lifetime as expired to kernel. Hence kernel wont permit user to log on. Account expiry date can be set using chage -E option. Date format should be in yyyy-mm-dd.
# date Thu Dec 1 20:38:36 EDT 2016 # chage -E 2016-11-30 user5 # chage -l user5 Last password change : Dec 01, 2016 Password expires : Mar 01, 2017 Password inactive : never Account expires : Nov 30, 2016 Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
In above example we set expiry date as yesterday i.e. account is already expired for today. And hence it wont be able to log in. See account expires showing as 30 Nov where current system date is 1 Dec.
5. By emptying user password
This another tricky way to refrain user from accessing system. But in this method you will be using user’s set password. So when you enable user back on system, user wont be able to use its old password. New password needs to be setup for his account.
In this method, you have to empty user password. Since password is empty, at login prompt user wont be able to get in. You can empty password using -d option.
# passwd -d slavhate Removing password for user slavhate. passwd: Success # passwd -S slavhate slavhate NP 2016-12-07 1 90 7 -1 (Empty password.)
You can verify if password is removed using passwd -S command.