Loading ...
HowTo Disable a User Account in Linux
This short howto will show how to disable a user account under linux. This might be useful in the situation where you don’t want to permanently remove the user, but you just want it disabled and no longer able to use the system. The user will still receive emails for example, but he will not be able to login and check them out.
Modern linux systems use /etc/shadow to store the encrypted user passwords. The quickest way to disable a user is to alter is password stored in /etc/shadow. Normally an active user account will have one line in /etc/shadow that will look like:
user:$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::
where the second field is the encrypted password.
If we replace the password with “*” or “!” this will make the account unusable, and it will mean that no login is permitted for the user:
user:*:13852:0:99999:7:::
This method has the disadvantage that the user password will be lost (unless saved somewhere, etc.) in the case we will want to re-enable it again later. From this point of view a much better method is to use the passwd command to lock the account:
passwd <username> -l
and the output of the successful change will be “Password changed.”. This actually just changes the shadow file and adds “!” in front of the user password:
user:!$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::
Of course we could do this manually ourselves also if we want ;-).
If you will ever need to re-enable the account just unlock it:
passwd <username> -u
or just remove manually the “!” character from the user’s password line in /etc/shadow.
Of course if you don’t need all this stuff and you just want to permanently remove the user just run:
userdel <username>
this will keep his old files (home directory, mails, etc.) or to delete all his files on the system:
userdel -r <username>
just be careful what is the home of the user before running this command as personally I have seen someone do this and erasing all the system… the user had set as home “/” ;-).
Share This
5th December 2007, 14:36
Why not just set their login shell in /etc/passwd to /bin/false? That way, you don’t lose the password, but when they try to log in, they immediately get disconnected?
5th December 2007, 14:49
Glen: thanks for you comment. Regarding what you said that will not disable the user. It will just disable it to login to shell based applications like ssh for ex. and others that check the shell like some ftp daemons. Still, the user will be functional and able to receive emails or use other services that are not based on the shell. More, the user can even have no shell in the first place ;-).
Cheers,
- Marius -
19th December 2007, 03:50
Dear Sirs, I tried, but the email account is also locked. Is there anyway, I can disable the user login. Still, user is able to send/receive email. I remember something like nologin file to place some place. Thanks.
19th December 2007, 09:44
Thavee: depends from what kind of access you give your users and what you want to deny. From what I understand you just want to disable shell access and leave others like email functional. For this you just have to make sure that the user doesn’t have a valid shell in /etc/passwd. You can set it to /bin/false, or whatever, but be sure it is not a valid shell like /bin/bash, /bin/sh, etc.
- Marius -
10th January 2008, 06:54
I’d also note that changing password won’t disable things like logging into ssh via key-based authantication. Not sure about locking account, though.
10th January 2008, 20:55
HoverHell: you are right… changing the user password (and also locking) will still allow him to connect using ssh via key-based auth. If this is used, then the user’s authorized_keys must me moved to a different location.
Thanks for the note,
- Marius -