Learn different ways to restrict users from accessing the system apart from locking him out. One of the essential tips for user management for user access.
Whenever there is a requirement of disabling user access on the Linux system first thing that came to mind is locking the user out of the system. But there are many different ways out to achieve the same motto i.e. refraining users from accessing the account.
We have already seen how to lock/unlock user account in Linux. See below list which shows other ways of disabling access :
- Editing password hash
- Editing login shell in
- By expiring account lifetime
- By emptying user password
1. Using usermod command
usermod command is used to modify user characteristics. This command has
-L option to lock the account and
-U option to unlock the account.
Read more about usermod command here.
Using this we can disable user access to the system. This command adds ! in front of the encrypted password in
/etc/passwd file. This in turn makes kernel believe the user is locked and should not be permitted to access the system.
# cat /etc/shadow |grep usr2 usr2:$6$nEjQiroT$Fjda8KiOIbnELAffHmluJFRC8jjIRWuxEWBePK1gun/ELZRi3glZdKVtPaaZ4tcQLIK2KPZTxdpB3tJvDj3/J1:17128:1:90:7::: # usermod -L usr2 # cat /etc/shadow |grep usr2 usr2:!$6$nEjQiroT$Fjda8KiOIbnELAffHmluJFRC8jjIRWuxEWBePK1gun/ELZRi3glZdKVtPaaZ4tcQLIK2KPZTxdpB3tJvDj3/J1:17128:1:90:7:::
2. Editing password hash in /etc/passwd
This is the same as above. The only thing is we will edit
/etc/passwd file using
vipw or any text editor manually and put up ! mark in front of the encrypted password! It is always recommended to use
vipw command to edit /etc/passwd to maintain the integrity of file unless you know what you are doing.
3. Editing login shell in /etc/passwd file
As you know the last field in
/etc/passwd file is a shell. By editing this parameter to
/bin/false shell one can restrict access of the user.
Read more about /etc/passwd file here.
/sbin/nologin is defined for the user, at the time of login that user will be presented with “Account not available” message is defined in
/etc/nologin.txt and exit. If
/bin/false is defined then the user will be exited out at the time of login without any message. This parameter can be set manually by editing
vi or this can be set using
usermod -s command.
# usermod -s /sbin/nologin user4 # cat /etc/passwd |grep user4 user4:x:552:200:Test user:/home/user4:/sbin/nologin ---------- Putty login output below ------- login as: slavhate email@example.com's password: Last login: Thu Dec 1 20:30:06 2016 from 10.100.2.45 Account not available
4. By expiring account lifetime
On the Linux system, every account comes with a lifetime defined hence account expiry is tagged to each account. Setting this expiry date to past date, one can pose an account’s lifetime as expired to the kernel. Hence kernel won’t permit the user to log on. The account expiry date can be set using
chage -E option. The date format should be in yyyy-mm-dd.
# date Thu Dec 1 20:38:36 EDT 2016 # chage -E 2016-11-30 user5 # chage -l user5 Last password change : Dec 01, 2016 Password expires : Mar 01, 2017 Password inactive : never Account expires : Nov 30, 2016 Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
In the above example, we set the expiry date as yesterday i.e. account is already expired for today. And hence it won’t be able to log in. See account expires showing as 30 Nov where the current system date is 1 Dec.
5. By emptying user password
This another tricky way to refrain users from accessing the system. But in this method, you will be using the user’s set password. So when you enable the user back on the system, user won’t be able to use its old password. A new password needs to be set up for his account.
In this method, you have to empty the user password. Since the password is empty, at login prompt user won’t be able to get in. You can empty the password using
# passwd -d slavhate Removing password for user slavhate. passwd: Success # passwd -S slavhate slavhate NP 2016-12-07 1 90 7 -1 (Empty password.)
You can verify if password is removed using
passwd -S command.